Overview
overview
5Static
static
5LegacyUpda...11.exe
windows10-2004-x64
5LegacyUpda...11.exe
windows11-21h2-x64
5$PLUGINSDI...IS.dll
windows10-2004-x64
3$PLUGINSDI...IS.dll
windows11-21h2-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3LegacyUpdate.dll
windows10-2004-x64
3LegacyUpdate.dll
windows11-21h2-x64
3Analysis
-
max time kernel
99s -
max time network
133s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 18:13
Behavioral task
behavioral1
Sample
LegacyUpdate-1.111.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
LegacyUpdate-1.111.exe
Resource
win11-20250619-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LegacyUpdateNSIS.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/LegacyUpdateNSIS.dll
Resource
win11-20250619-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/NSxfer.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/NSxfer.dll
Resource
win11-20250502-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win11-20250610-en
Behavioral task
behavioral9
Sample
LegacyUpdate.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral10
Sample
LegacyUpdate.dll
Resource
win11-20250619-en
General
-
Target
LegacyUpdate-1.111.exe
-
Size
601KB
-
MD5
65cf19fe7e1491409f95cc280f744fec
-
SHA1
75f8a05ff04f725521f7f46ad9c50c454ea39d20
-
SHA256
b826a873c50c9cbf6cb52f6bfbf7efad03dbf56cf0928504e1b2b7100aab29ac
-
SHA512
1f3503e0de4c74eb93a4f09d3952d2db10315629d8bc073ef69604e90f2a582021d77d5174e462cf2aec0f6620f386578c14791732610b615cf84b503682aebd
-
SSDEEP
12288:dBKdu4egRoStQ21qW9w7/RSX2wSqwRGIvccEq694AYTeen4OkZWnonzDkIBvP:Wdu4/R31qW9G5SX2JqwRGIvccE79w4xh
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
resource yara_rule behavioral2/memory/1404-0-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral2/memory/1404-41-0x0000000000400000-0x0000000000487000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Legacy Update\Uninstall.exe LegacyUpdate-1.111.exe File created C:\Program Files\Legacy Update\LegacyUpdate.dll LegacyUpdate-1.111.exe File created C:\Program Files\Legacy Update\LegacyUpdate.exe LegacyUpdate-1.111.exe -
Executes dropped EXE 2 IoCs
pid Process 1492 LegacyUpdate.exe 1240 LegacyUpdate.exe -
Loads dropped DLL 7 IoCs
pid Process 1404 LegacyUpdate-1.111.exe 1404 LegacyUpdate-1.111.exe 1492 LegacyUpdate.exe 4728 regsvr32.exe 4968 regsvr32.exe 2920 Process not Found 5040 IEXPLORE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LegacyUpdate-1.111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ielowutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppPath = "C:\\Program Files\\Legacy Update" LegacyUpdate-1.111.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31190368" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c4600000000020000000000106600000001000020000000314b2deddce88ff889ad687ad2365c9e091ca34ceabf2a57ce9458d4d9142748000000000e80000000020000200000009b4d9e0d34afdfb82a3a6b377647825352f538b314c0f8713fd956bcaae9a5dd200000009426c6638b13b4f3119cda6478e477cb13cc355688567c799026d9410057f98c400000006c49473175bf2fe8c7f79eb3d9802c99d9d09813f982b6037566912329aadd456243b1e23bc0e7fe02e6b76f76de4a9e049c39bd516f1f32210e5f136420eef7 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Recovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c46000000000200000000001066000000010000200000008c2ddee263f79e0c6fbf34862d0700734216737a141c07dcb3dc87912b066c21000000000e80000000020000200000005368ce34540bd7893ae12fcdae3286aa40799500a1d5f9bb1e7f5e7b981aad66100000007a04d527e736a65fe751ac245db7d19f4000000050f7216b301ba0b74f9e4a99d1b2d9b23dbbbcc60ae58496c8bf125f7a3af26cf0ec6caa208e09bc4b884f1057739365d033ad806acc8b2f5853055722c5296a iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "4241851389" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\ = "11" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "458417817" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "amur9j7" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA4FD2F0-5902-11F0-A244-460C243BA2A1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b4dd7f0feddb01 iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppName = "LegacyUpdate.exe" LegacyUpdate-1.111.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982} LegacyUpdate-1.111.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\Policy = "3" LegacyUpdate-1.111.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = d65e9efb60e1db01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c4600000000020000000000106600000001000020000000181ab717d81887d2953108dcb888f7dd8f5d06a2dc1072b3463df6de625183ef000000000e8000000002000020000000d50d1c37d4877df7c49396e15d73d3cf78315e2752bfb1e8b2c3bcf6c44a6a7b50000000d86a6a4b2cdd1d10e5bdc89393a732a628d5280c85c850be80121a84ba315c77d6c7299b28e5069a2167a758ba2d9c6769d95827a1786ee57f752a0894f02657a2a510112b75b86ba115444898506227400000003ab676cf968494d9bb6044908d0aaefdb4658f307f1bbc006d3607d92b1ec7299af882d8f5083e8d6a1de55735d673c2afa79089e23737fb206ae3865632441a iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c46000000000200000000001066000000010000200000008058576c997b8608370d7d742647f0cc542936c777c7a9d8ccd968ebbc1638c2000000000e80000000020000200000000840bb992787dcd76152d469c6956b81e8e532a27c8e1bc1495e0d5ba1e649fe10000000d3b5076470f237fae1b74441bcde5c8340000000704ad817995d484ff57ef0a51d23f34b3fb0f20e24e9c0adfdec13ebe5ec74fc0c1a514b40f1c1e0a3fd0f03df59f66885c184b880c8563d07c6c6c3ed311b51 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = d65e9efb60e1db01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c460000000002000000000010660000000100002000000036630131a78788318248dc16e866534c67867164cf154673f5a67d1d42c0ba30000000000e80000000020000200000007e221b1f04ccbdabe618177bbc52c2a15f29b2871aa3ebf6208a25e8c6d5f43650000000eba2a401821bd44f32582773d5070f592aa66d9bddc118888a8b6c8ec2537cef07d49b5183a90f38ec886caadc9a9e83c09e9887669094c4b64a8bb572b25c1e9bd75c15f980e39e2069ec79cac743b340000000aa80324eef5ce5b6da1f3c02ea85a6fcebf488cee6a3956fcb04f22642d10df01594ff9257bf9f60e498e9319f9e58f187c183edc629950945f6c8d4628716d7 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.22000.1\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "11" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\Total = "11" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" iexplore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\Policy = "3" LegacyUpdate-1.111.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" iexplore.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ = "Legacy Update Control" LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0 LegacyUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID\ = "LegacyUpdate.Control.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\CLSID\ = "{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}" LegacyUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID\ = "{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}" LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\0\win32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories LegacyUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID\ = "LegacyUpdate.ElevationHelper.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\DllSurrogate regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ = "ILegacyUpdateCtrl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000_Classes\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\CLSID LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32 LegacyUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ThreadingModel = "Apartment" LegacyUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\VersionIndependentProgID\ = "LegacyUpdate.ElevationHelper" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\CurVer\ = "LegacyUpdate.ElevationHelper.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C}\InfoTip = "@\"C:\\Program Files\\Legacy Update\\LegacyUpdate.exe\",-4" LegacyUpdate-1.111.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate.dll" LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version LegacyUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\LocalizedString = "@C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll,-1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\DllSurrogate LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus\1 LegacyUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1\ = "132497" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\ = "0" LegacyUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ThreadingModel = "Apartment" LegacyUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ = "Legacy Update Elevation Helper" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\InProcServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate.dll" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus\ = "0" LegacyUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control\ = "LegacyUpdateCtrl Class" LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\VersionIndependentProgID LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control LegacyUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C}\ShellFolder LegacyUpdate-1.111.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" LegacyUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" LegacyUpdate.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1404 LegacyUpdate-1.111.exe 3368 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3368 iexplore.exe 3368 iexplore.exe 5040 IEXPLORE.EXE 5040 IEXPLORE.EXE 5040 IEXPLORE.EXE 5040 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1404 wrote to memory of 1492 1404 LegacyUpdate-1.111.exe 79 PID 1404 wrote to memory of 1492 1404 LegacyUpdate-1.111.exe 79 PID 1492 wrote to memory of 4728 1492 LegacyUpdate.exe 80 PID 1492 wrote to memory of 4728 1492 LegacyUpdate.exe 80 PID 1492 wrote to memory of 4612 1492 LegacyUpdate.exe 81 PID 1492 wrote to memory of 4612 1492 LegacyUpdate.exe 81 PID 4612 wrote to memory of 4968 4612 regsvr32.exe 82 PID 4612 wrote to memory of 4968 4612 regsvr32.exe 82 PID 4612 wrote to memory of 4968 4612 regsvr32.exe 82 PID 1404 wrote to memory of 1240 1404 LegacyUpdate-1.111.exe 83 PID 1404 wrote to memory of 1240 1404 LegacyUpdate-1.111.exe 83 PID 3368 wrote to memory of 5040 3368 iexplore.exe 87 PID 3368 wrote to memory of 5040 3368 iexplore.exe 87 PID 3368 wrote to memory of 5040 3368 iexplore.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe"C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Program Files\Legacy Update\LegacyUpdate.exe"C:\Program Files\Legacy Update\LegacyUpdate.exe" /regserver 3282202⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:4728
-
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"3⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4968
-
-
-
-
C:\Program Files\Legacy Update\LegacyUpdate.exe"C:\Program Files\Legacy Update\LegacyUpdate.exe" /launch /firstrun2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:2104
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3368 CREDAT:17410 /prefetch:22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5040
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
419KB
MD574350e57247d8e2ca48f296167749f6b
SHA14c6a29a11b3238896c635159475ee75726191974
SHA256b98d511ed5039d3b8c9bf02eb25155b3917f38234d4e38113209276cea46bce3
SHA5124fcc7d146a169b95e8839c92a79993a83203e47d8a293a96795b2b497d6cb39e0f702922d55514773d0992b7e11c63cfa7cccf755ae3becdbdfd4323f1f14054
-
Filesize
127KB
MD5a658cd3da26882d5cafc03cb04f28828
SHA1952c0dd7b9a0a4fdaaf5a6bfd92649d76cec97f5
SHA256e27c064ebb7c99ec65494d9371165f2b207e35cf2a5cd660e74223c0013e98c1
SHA51223ad1e341dae59e5edadc92d56b0da0a5729228b079e0e57a4232c7ba83789d77ce7daf713b219811692327a1507b6bce0ccbc5dc99c2e253bf78216df63230e
-
Filesize
295KB
MD5a16b3a0f15a907da1a868b8e9842f1a4
SHA1afd21759cfd0f68b765f3cd9365280094c8a618e
SHA2569eb6498716330a0e1019316fc21261e1e81ccd319ed1a9c8d2555ecaeb0229ec
SHA512f95a1b2ffabf3795a1b77eb67506603d213391efc04ec4a1592f24af4297777763518bb9c0c7e4be975591125cec587e33e48ec39f2c2fd641abd33a83687015
-
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
Filesize
15KB
MD5b8bfd4f0b46a40ef47592936a1ff8671
SHA1d5d743ac3f2bbd43c95733ba49b5e34c9e675db2
SHA2568c969228feaa34c8e0efcc6e0f3ab21961755f208e8676e2e7c871fe07117d4c
SHA512ff8fb95c910afa2f69da2ec0803bbe92bf4c24aa05a77eb73af21ec76dda18391c674b6f70451e395244efe1c266e9061eaf67b21360114758e7b3966a27b6af
-
Filesize
24KB
MD5c6d00873371110fdf87b3c2d85493610
SHA19be47c02adf06a4befc040751cea7016ba5f5dc0
SHA256868c8cb616b608c4f82c10e979279f23c94773c100399e40e0238223d36a3927
SHA51200aaa7a3b2b6b3d1d38789f228a280001b7287930e14c7dc6f1133ba524c5323aaead566e6a84bcf2ff429155f15d60b607898bbb10fafd63839f0487d9a6672
-
Filesize
10KB
MD547223f34276f4bab4bfcbab937038e40
SHA1a6a19505ba73acb1b65ff5e70a59d8fa7ca94286
SHA2567d48e1ffb5354d10a3b00f15efa6a73aa3a9618a1e837cf44c1fad1fb0d204c8
SHA5126d03319746851fd2f47141d44f05c54d0edc37fd67005982ac875a91445fd197a9b98da1544603a0ba0fc79a4bfe5f2d21d9f05337d4910e57dc158cc2406e30
-
Filesize
1KB
MD5144e34b4f44464ccf7d396bed3a8d8ce
SHA1aa60249c50b936e6a1c16c8c2fe87461c09150f5
SHA25666c4353831b336853b4726c98585f73ab10189f4e47433f0fe25db48657d8902
SHA512703455aab0a8720a423c1285f8d18845e48c5521cb2a4eed6951e980b76a34d30724f2e2a27b34a040bc1f2708ca349baaed5922bc77996fd73cdb86028bbd32
-
Filesize
70KB
MD510092eee563dec2dca82b77d2cf5a1ae
SHA165cbff4e9d95d47a6f31d96ab4ea361c1f538a7b
SHA256e23a2a4e2d7c2b41ebcdd8ffc0679df7140eb7f52e1eebabf827a88182643c59
SHA512cc92cf5a9b3a62a18af432fdffb81b76da84e2f43ce3c7800a919c10809118d0611e29a47f103ff3df18a54d5331bc5f06ef4771dc406cc763b30ff2a66a3e81
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
14KB
MD5234bff2200db4dd16e96bcb6ae5da9f0
SHA1d348cd7dd3ab3b86cbd2548203186d0db6d4884e
SHA25648282bd4c2ef47c6c51bab7011c8cef46395138d05ab83ac55b0415d64bcd277
SHA5123bf1867fba4d0b0d9e1f30d0fadd71cdc3de964da7743d0ad2129aa0a7e96f6c057070bb8a122dab8fefdfa72324c4149db97e5fd622fd018fbb08ce17d9edfe
-
Filesize
88KB
MD5002d5646771d31d1e7c57990cc020150
SHA1a28ec731f9106c252f313cca349a68ef94ee3de9
SHA2561e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6
-
Filesize
45KB
MD59faba20acb994499221c4066aa5bc043
SHA1d19d76e98d0e433166d4c8f1f2b6ffbc9443548a
SHA256afaa11c241ad99d31fe29dc07a0d2190dc0490f21d3bd6399b87498ad1055ec4
SHA5123a8028e53259e193360b6fb7f49ac4f4ef9d8cf29b0681026ddfb4d5dc62cf35feea8184e05fccf212abf8e37da5b31c80e77ac323aab360ddd5fe827ca49224
-
Filesize
32KB
MD5617f4e0a6c8782cfca9aee923fc7f8e4
SHA1c907a6310e450f1ff9fd14c4afd10b70add8f2ee
SHA25643a5e3313332eb6835290e99f37dc84de6991d62cd8cb285f1dea32f66d1507e
SHA512ef3fae21758358042a471b4c898bcda491b9e48edbe2f9f68c02c5f4d1e50313282323134916e5ad0b3b721f4c802d9aee77902831a580e5e54a1c2e36bbed2a