regedit.exe

File Path: C:\WINDOWS\SysWOW64\regedit.exe
Description: Registry Editor

Screenshot

regedit.exe

Hashes

Type	Hash
MD5	`4506B1C9773B2400B44FBD5C2D70A13F`
SHA1	`3941269147D43D6803E4E355D6D67939F2C23B40`
SHA256	`B53F00C3BF125ED2953B4D0936CD01E1BD1B01FB24E67C4A58E7E8D482BCDE8E`
SHA384	`2A74AABF4BD79FE9A93618F7B64FA63534F1E8634AB417E850B06AF7F301A0E04438675EB3EA40F248A9BF10FCE2AF5D`
SHA512	`B5FD54C061F56DA1C40F724E5DF216807421639CD17B990F16B7E45F19B7670034C486939D45243B92DD1F12B038DCEDA907E2A24E9030FAD2DE143D41138E73`
SSDEEP	`6144:PDB4PPSoWqwWKbN8w7ugQRZ66z+n4VZbd8g79pgrXNgRnVLjyzhbkidNN2P:PDB4PPS7Hz6wfQRZ66z24VZbdrpgrXNi`
IMP	`E38AC1F1BFCDCC722D22CC5E0517D9B6`
PESHA1	`F6EA218693CE68514CEC7C30A7FC67487DF6BF8F`
PE256	`66B6901F8F41F9E18C0D24094533641DD3575874E47040F9EFE4533517FD054B`

Runtime Data

Window Title:

Registry Editor

Open Handles:

Path	Type
(R-D) C:\Windows\Fonts\StaticCache.dat	File
(R-D) C:\Windows\System32\en-US\aclui.dll.mui	File
(R-D) C:\Windows\System32\en-US\duser.dll.mui	File
(R-D) C:\Windows\SystemResources\imageres.dll.mun	File
(R-D) C:\Windows\SysWOW64\en-US\regedit.exe.mui	File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_b335b4dbed333454\comctl32.dll.mui	File
(RW-) C:\Windows	File
(RW-) C:\Windows\SysWOW64	File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_b335b4dbed333454	File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_e541a94fcce8ed6d	File
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*cversions.2.ro	Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\Sessions\2\Windows\Theme1077709572	Section
\Windows\Theme3461253685	Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\regedit.exe

Signature

Status: Signature verified.
Serial: 33000002ED2C45E4C145CF48440000000002ED
Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: REGEDIT.EXE.MUI
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.22000.1 (WinBuild.160101.0800)
Product Version: 10.0.22000.1
Language: English (United States)
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/73
VirusTotal Link: https://www.virustotal.com/gui/file/b53f00c3bf125ed2953b4d0936cd01e1bd1b01fb24e67c4a58e7e8d482bcde8e/detection

File Similarity (ssdeep match)

File	Score
C:\Windows\regedit.exe	71
C:\WINDOWS\regedit.exe	71
C:\WINDOWS\regedit.exe	100
C:\Windows\regedit.exe	69
C:\Windows\regedit.exe	72
C:\Windows\regedit.exe	69
C:\WINDOWS\SysWOW64\regedit.exe	71
C:\Windows\SysWOW64\regedit.exe	71
C:\Windows\SysWOW64\regedit.exe	72
C:\Windows\SysWOW64\regedit.exe	69
C:\Windows\SysWOW64\regedit.exe	69

Possible Misuse

The following table contains possible examples of regedit.exe being misused. While regedit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	sysmon_regedit_export_to_ads.yml	`- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml`	DRL 1.0
sigma	sysmon_regedit_export_to_ads.yml	`Image\\|endswith: '\regedit.exe'`	DRL 1.0
sigma	proc_creation_win_alternate_data_streams.yml	`- 'regedit '`	DRL 1.0
sigma	proc_creation_win_regedit_export_critical_keys.yml	`- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml`	DRL 1.0
sigma	proc_creation_win_regedit_export_critical_keys.yml	`Image\\|endswith: '\regedit.exe'`	DRL 1.0
sigma	proc_creation_win_regedit_export_keys.yml	`- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml`	DRL 1.0
sigma	proc_creation_win_regedit_export_keys.yml	`Image\\|endswith: '\regedit.exe'`	DRL 1.0
sigma	proc_creation_win_regedit_import_keys.yml	`description: Detects the import of the specified file to the registry with regedit.exe.`	DRL 1.0
sigma	proc_creation_win_regedit_import_keys.yml	`- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml`	DRL 1.0
sigma	proc_creation_win_regedit_import_keys.yml	`Image\\|endswith: '\regedit.exe'`	DRL 1.0
sigma	proc_creation_win_regedit_import_keys_ads.yml	`description: Detects the import of a alternate datastream to the registry with regedit.exe.`	DRL 1.0
sigma	proc_creation_win_regedit_import_keys_ads.yml	`- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml`	DRL 1.0
sigma	proc_creation_win_regedit_import_keys_ads.yml	`Image\\|endswith: '\regedit.exe'`	DRL 1.0
sigma	proc_creation_win_susp_regedit_trustedinstaller.yml	`title: Regedit as Trusted Installer`	DRL 1.0
sigma	proc_creation_win_susp_regedit_trustedinstaller.yml	`description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe`	DRL 1.0
sigma	proc_creation_win_susp_regedit_trustedinstaller.yml	`Image\\|endswith: '\regedit.exe'`	DRL 1.0
LOLBAS	Regedit.yml	`Name: Regedit.exe`
LOLBAS	Regedit.yml	`- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey`
LOLBAS	Regedit.yml	`- Command: regedit C:\ads\file.txt:regfile.reg`
LOLBAS	Regedit.yml	`- Path: C:\Windows\System32\regedit.exe`
LOLBAS	Regedit.yml	`- Path: C:\Windows\SysWOW64\regedit.exe`
LOLBAS	Regedit.yml	`- IOC: regedit.exe reading and writing to alternate data stream`
LOLBAS	Regedit.yml	`- IOC: regedit.exe should normally not be executed by end-users`
malware-ioc	misp_invisimole.json	"description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)",	© ESET 2014-2018
malware-ioc	rtm	`regedit.exe`	© ESET 2014-2018
atomic-red-team	T1564.004.md	regedit /E #{path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey	MIT License. © 2018 Red Canary
signature-base	apt_area1_phishing_diplomacy.yar	$regedit = { c7 06 23 01 12 20 c7 46 04 01 90 00 00 89 5e 0c 89 5e 08 e8	CC BY-NC 4.0
signature-base	apt_project_sauron_extras.yar	$x1 = “local t = w.exec2str("regedit “	CC BY-NC 4.0
signature-base	crime_cn_campaign_njrat.yar	$a4 = “taskkill /f /im regedit.exe” fullword ascii	CC BY-NC 4.0
signature-base	gen_recon_indicators.yar	$s9 = “regedit -e “ ascii	CC BY-NC 4.0