Analysis Overview
SHA256
b826a873c50c9cbf6cb52f6bfbf7efad03dbf56cf0928504e1b2b7100aab29ac
Threat Level: Likely benign
The file LegacyUpdate-1.111.exe was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Drops file in Program Files directory
Executes dropped EXE
Checks installed software on the system
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer start page
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 18:13
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 18:13
Reported
2025-07-04 18:16
Platform
win11-20250619-en
Max time kernel
99s
Max time network
133s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Legacy Update\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| File created | C:\Program Files\Legacy Update\LegacyUpdate.dll | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| File created | C:\Program Files\Legacy Update\LegacyUpdate.exe | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| N/A | N/A | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| N/A | N/A | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppPath = "C:\\Program Files\\Legacy Update" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31190368" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c4600000000020000000000106600000001000020000000314b2deddce88ff889ad687ad2365c9e091ca34ceabf2a57ce9458d4d9142748000000000e80000000020000200000009b4d9e0d34afdfb82a3a6b377647825352f538b314c0f8713fd956bcaae9a5dd200000009426c6638b13b4f3119cda6478e477cb13cc355688567c799026d9410057f98c400000006c49473175bf2fe8c7f79eb3d9802c99d9d09813f982b6037566912329aadd456243b1e23bc0e7fe02e6b76f76de4a9e049c39bd516f1f32210e5f136420eef7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Recovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c46000000000200000000001066000000010000200000008c2ddee263f79e0c6fbf34862d0700734216737a141c07dcb3dc87912b066c21000000000e80000000020000200000005368ce34540bd7893ae12fcdae3286aa40799500a1d5f9bb1e7f5e7b981aad66100000007a04d527e736a65fe751ac245db7d19f4000000050f7216b301ba0b74f9e4a99d1b2d9b23dbbbcc60ae58496c8bf125f7a3af26cf0ec6caa208e09bc4b884f1057739365d033ad806acc8b2f5853055722c5296a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "4241851389" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\ = "11" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "458417817" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "amur9j7" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA4FD2F0-5902-11F0-A244-460C243BA2A1} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b4dd7f0feddb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppName = "LegacyUpdate.exe" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982} | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = d65e9efb60e1db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c4600000000020000000000106600000001000020000000181ab717d81887d2953108dcb888f7dd8f5d06a2dc1072b3463df6de625183ef000000000e8000000002000020000000d50d1c37d4877df7c49396e15d73d3cf78315e2752bfb1e8b2c3bcf6c44a6a7b50000000d86a6a4b2cdd1d10e5bdc89393a732a628d5280c85c850be80121a84ba315c77d6c7299b28e5069a2167a758ba2d9c6769d95827a1786ee57f752a0894f02657a2a510112b75b86ba115444898506227400000003ab676cf968494d9bb6044908d0aaefdb4658f307f1bbc006d3607d92b1ec7299af882d8f5083e8d6a1de55735d673c2afa79089e23737fb206ae3865632441a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c46000000000200000000001066000000010000200000008058576c997b8608370d7d742647f0cc542936c777c7a9d8ccd968ebbc1638c2000000000e80000000020000200000000840bb992787dcd76152d469c6956b81e8e532a27c8e1bc1495e0d5ba1e649fe10000000d3b5076470f237fae1b74441bcde5c8340000000704ad817995d484ff57ef0a51d23f34b3fb0f20e24e9c0adfdec13ebe5ec74fc0c1a514b40f1c1e0a3fd0f03df59f66885c184b880c8563d07c6c6c3ed311b51 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = d65e9efb60e1db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c460000000002000000000010660000000100002000000036630131a78788318248dc16e866534c67867164cf154673f5a67d1d42c0ba30000000000e80000000020000200000007e221b1f04ccbdabe618177bbc52c2a15f29b2871aa3ebf6208a25e8c6d5f43650000000eba2a401821bd44f32582773d5070f592aa66d9bddc118888a8b6c8ec2537cef07d49b5183a90f38ec886caadc9a9e83c09e9887669094c4b64a8bb572b25c1e9bd75c15f980e39e2069ec79cac743b340000000aa80324eef5ce5b6da1f3c02ea85a6fcebf488cee6a3956fcb04f22642d10df01594ff9257bf9f60e498e9319f9e58f187c183edc629950945f6c8d4628716d7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.22000.1\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "11" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\Total = "11" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ = "Legacy Update Control" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0 | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID\ = "LegacyUpdate.Control.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\CLSID\ = "{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID\ = "{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\0\win32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID\ = "LegacyUpdate.ElevationHelper.1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\DllSurrogate | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ = "ILegacyUpdateCtrl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib | C:\Windows\System32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32 | C:\Windows\System32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000_Classes\CLSID | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\CLSID | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32 | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\VersionIndependentProgID\ = "LegacyUpdate.ElevationHelper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32 | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\CurVer\ = "LegacyUpdate.ElevationHelper.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C}\InfoTip = "@\"C:\\Program Files\\Legacy Update\\LegacyUpdate.exe\",-4" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate.dll" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\LocalizedString = "@C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll,-1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\DllSurrogate | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus\1 | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control | C:\Windows\System32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1 | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1\ = "132497" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\ = "0" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ = "Legacy Update Elevation Helper" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\InProcServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate.dll" | C:\Windows\System32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32 | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus\ = "0" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control\ = "LegacyUpdateCtrl Class" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\VersionIndependentProgID | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638} | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C}\ShellFolder | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe
"C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe"
C:\Program Files\Legacy Update\LegacyUpdate.exe
"C:\Program Files\Legacy Update\LegacyUpdate.exe" /regserver 328220
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate.dll"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"
C:\Program Files\Legacy Update\LegacyUpdate.exe
"C:\Program Files\Legacy Update\LegacyUpdate.exe" /launch /firstrun
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3368 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | legacyupdate.net | udp |
| US | 172.67.217.41:443 | legacyupdate.net | tcp |
| US | 172.67.217.41:443 | legacyupdate.net | tcp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 150.171.28.10:443 | ieonline.microsoft.com | tcp |
| US | 150.171.28.10:443 | ieonline.microsoft.com | tcp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/1404-0-0x0000000000400000-0x0000000000487000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsc6220.tmp\LegacyUpdateNSIS.dll
| MD5 | 9faba20acb994499221c4066aa5bc043 |
| SHA1 | d19d76e98d0e433166d4c8f1f2b6ffbc9443548a |
| SHA256 | afaa11c241ad99d31fe29dc07a0d2190dc0490f21d3bd6399b87498ad1055ec4 |
| SHA512 | 3a8028e53259e193360b6fb7f49ac4f4ef9d8cf29b0681026ddfb4d5dc62cf35feea8184e05fccf212abf8e37da5b31c80e77ac323aab360ddd5fe827ca49224 |
C:\Users\Admin\AppData\Local\Temp\nsc6220.tmp\System.dll
| MD5 | 617f4e0a6c8782cfca9aee923fc7f8e4 |
| SHA1 | c907a6310e450f1ff9fd14c4afd10b70add8f2ee |
| SHA256 | 43a5e3313332eb6835290e99f37dc84de6991d62cd8cb285f1dea32f66d1507e |
| SHA512 | ef3fae21758358042a471b4c898bcda491b9e48edbe2f9f68c02c5f4d1e50313282323134916e5ad0b3b721f4c802d9aee77902831a580e5e54a1c2e36bbed2a |
C:\Program Files\Legacy Update\LegacyUpdate.exe
| MD5 | a658cd3da26882d5cafc03cb04f28828 |
| SHA1 | 952c0dd7b9a0a4fdaaf5a6bfd92649d76cec97f5 |
| SHA256 | e27c064ebb7c99ec65494d9371165f2b207e35cf2a5cd660e74223c0013e98c1 |
| SHA512 | 23ad1e341dae59e5edadc92d56b0da0a5729228b079e0e57a4232c7ba83789d77ce7daf713b219811692327a1507b6bce0ccbc5dc99c2e253bf78216df63230e |
C:\Program Files\Legacy Update\LegacyUpdate.dll
| MD5 | 74350e57247d8e2ca48f296167749f6b |
| SHA1 | 4c6a29a11b3238896c635159475ee75726191974 |
| SHA256 | b98d511ed5039d3b8c9bf02eb25155b3917f38234d4e38113209276cea46bce3 |
| SHA512 | 4fcc7d146a169b95e8839c92a79993a83203e47d8a293a96795b2b497d6cb39e0f702922d55514773d0992b7e11c63cfa7cccf755ae3becdbdfd4323f1f14054 |
C:\Program Files\Legacy Update\LegacyUpdate32.dll
| MD5 | a16b3a0f15a907da1a868b8e9842f1a4 |
| SHA1 | afd21759cfd0f68b765f3cd9365280094c8a618e |
| SHA256 | 9eb6498716330a0e1019316fc21261e1e81ccd319ed1a9c8d2555ecaeb0229ec |
| SHA512 | f95a1b2ffabf3795a1b77eb67506603d213391efc04ec4a1592f24af4297777763518bb9c0c7e4be975591125cec587e33e48ec39f2c2fd641abd33a83687015 |
memory/1492-26-0x00007FF75CCB0000-0x00007FF75CCD0000-memory.dmp
memory/1404-41-0x0000000000400000-0x0000000000487000-memory.dmp
memory/1240-43-0x00007FF75CCB0000-0x00007FF75CCD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W1JN9WZ6\favicon[1].ico
| MD5 | 234bff2200db4dd16e96bcb6ae5da9f0 |
| SHA1 | d348cd7dd3ab3b86cbd2548203186d0db6d4884e |
| SHA256 | 48282bd4c2ef47c6c51bab7011c8cef46395138d05ab83ac55b0415d64bcd277 |
| SHA512 | 3bf1867fba4d0b0d9e1f30d0fadd71cdc3de964da7743d0ad2129aa0a7e96f6c057070bb8a122dab8fefdfa72324c4149db97e5fd622fd018fbb08ce17d9edfe |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\amur9j7\imagestore.dat
| MD5 | b8bfd4f0b46a40ef47592936a1ff8671 |
| SHA1 | d5d743ac3f2bbd43c95733ba49b5e34c9e675db2 |
| SHA256 | 8c969228feaa34c8e0efcc6e0f3ab21961755f208e8676e2e7c871fe07117d4c |
| SHA512 | ff8fb95c910afa2f69da2ec0803bbe92bf4c24aa05a77eb73af21ec76dda18391c674b6f70451e395244efe1c266e9061eaf67b21360114758e7b3966a27b6af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2FPEI6B1\PIE_IE9[1].js
| MD5 | c6d00873371110fdf87b3c2d85493610 |
| SHA1 | 9be47c02adf06a4befc040751cea7016ba5f5dc0 |
| SHA256 | 868c8cb616b608c4f82c10e979279f23c94773c100399e40e0238223d36a3927 |
| SHA512 | 00aaa7a3b2b6b3d1d38789f228a280001b7287930e14c7dc6f1133ba524c5323aaead566e6a84bcf2ff429155f15d60b607898bbb10fafd63839f0487d9a6672 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J37ACQEP\activex[1].js
| MD5 | 144e34b4f44464ccf7d396bed3a8d8ce |
| SHA1 | aa60249c50b936e6a1c16c8c2fe87461c09150f5 |
| SHA256 | 66c4353831b336853b4726c98585f73ab10189f4e47433f0fe25db48657d8902 |
| SHA512 | 703455aab0a8720a423c1285f8d18845e48c5521cb2a4eed6951e980b76a34d30724f2e2a27b34a040bc1f2708ca349baaed5922bc77996fd73cdb86028bbd32 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J37ACQEP\jquery[1].js
| MD5 | 10092eee563dec2dca82b77d2cf5a1ae |
| SHA1 | 65cbff4e9d95d47a6f31d96ab4ea361c1f538a7b |
| SHA256 | e23a2a4e2d7c2b41ebcdd8ffc0679df7140eb7f52e1eebabf827a88182643c59 |
| SHA512 | cc92cf5a9b3a62a18af432fdffb81b76da84e2f43ce3c7800a919c10809118d0611e29a47f103ff3df18a54d5331bc5f06ef4771dc406cc763b30ff2a66a3e81 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CVT3CZ05\global[1].js
| MD5 | 47223f34276f4bab4bfcbab937038e40 |
| SHA1 | a6a19505ba73acb1b65ff5e70a59d8fa7ca94286 |
| SHA256 | 7d48e1ffb5354d10a3b00f15efa6a73aa3a9618a1e837cf44c1fad1fb0d204c8 |
| SHA512 | 6d03319746851fd2f47141d44f05c54d0edc37fd67005982ac875a91445fd197a9b98da1544603a0ba0fc79a4bfe5f2d21d9f05337d4910e57dc158cc2406e30 |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\Local\Temp\Kno9E1D.tmp
| MD5 | 002d5646771d31d1e7c57990cc020150 |
| SHA1 | a28ec731f9106c252f313cca349a68ef94ee3de9 |
| SHA256 | 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f |
| SHA512 | 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J37ACQEP\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral5
Detonation Overview
Submitted
2025-07-04 18:13
Reported
2025-07-04 18:16
Platform
win10v2004-20250502-en
Max time kernel
104s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 2776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3436 wrote to memory of 2776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3436 wrote to memory of 2776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSxfer.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSxfer.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2776 -ip 2776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 672
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2776-0-0x0000000074F70000-0x0000000074F82000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-07-04 18:13
Reported
2025-07-04 18:16
Platform
win11-20250502-en
Max time kernel
101s
Max time network
111s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3868 wrote to memory of 3568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3868 wrote to memory of 3568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3868 wrote to memory of 3568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSxfer.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSxfer.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3568 -ip 3568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 536
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp |
Files
memory/3568-0-0x0000000075730000-0x0000000075742000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-07-04 18:13
Reported
2025-07-04 18:16
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4240 wrote to memory of 3208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4240 wrote to memory of 3208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4240 wrote to memory of 3208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3208 -ip 3208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 612
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 18:13
Reported
2025-07-04 18:16
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
138s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Legacy Update\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| File created | C:\Program Files\Legacy Update\LegacyUpdate.dll | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| File created | C:\Program Files\Legacy Update\LegacyUpdate.exe | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| N/A | N/A | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| N/A | N/A | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "458417817" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31190287" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a99294cc0d6ed74b8afae24cc34a9c32000000000200000000001066000000010000200000005c968459e421c10fbf7df8a628b0394235e7b3ead89d0ac4e59fac7dd3e44414000000000e8000000002000020000000d188626017cc7b27aacea74ce7306a454238ff034b3fe679a3c05202ffaab87820000000f8f3109b477e6734f8f2289556a43e58ee04057b668588dbea3b5fb4305018c34000000098aa377b552ecb1b1d9ea4f08f4a01a5fc092cdd04396306643d472819b163661e4f94cf16dd94833fb5d0219afa8ee99e45391fe4209ed0853903e23e3d8ec5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppName = "LegacyUpdate.exe" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\ = "11" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2129262184" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982} | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982} | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "11" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31190287" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0044e47f0feddb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppPath = "C:\\Program Files\\Legacy Update" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AA5C4909-5902-11F0-B464-724A1EDA80BB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2129731050" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\Total = "11" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a7da7f0feddb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a99294cc0d6ed74b8afae24cc34a9c32000000000200000000001066000000010000200000008f4b682ef0528d9467d166d54887d703ae07e469a90342e8889fd2db5996d1b5000000000e800000000200002000000027af786eda649b4cce05900574f7a3507f83ef9d28b23b5c32098bfa0d65775f20000000057a054cb0138da1756e622580db63299b46d3554f2a7652afd2d0da27d3db3340000000884faac6373638a7002712273a3f33a45f23d82683d31ff43a64ea34d279d9ecc20840fa792ad97df066d9e62bebd72ca26c7f74d8b2002648bace0cef513f77 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppPath = "C:\\Program Files\\Legacy Update" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppName = "LegacyUpdate.exe" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C}\Shell\Open | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\ = "Legacy Update Control" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\VersionIndependentProgID | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{3236E684-0E4B-4780-9F31-F1983F5AB78D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C}\ShellFolder\Attributes = "0" | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus\1\ = "131473" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LegacyUpdate.dll\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control\CurVer\ = "LegacyUpdate.Control.1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1 | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ = "ILegacyUpdateCtrl" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\TypeLib | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\NumMethods | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C} | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\TypeLib | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\VersionIndependentProgID\ = "LegacyUpdate.Control" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\InProcServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate.dll" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\CurVer\ = "LegacyUpdate.ElevationHelper.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID\ = "{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID\ = "LegacyUpdate.Control.1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ = "IProgressBarControl" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LegacyUpdate.dll\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3236E684-0E4B-4780-9F31-F1983F5AB78D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\InProcServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib\Version = "1.0" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\CLSID\ = "{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ProxyStubClsid32 | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ = "IElevationHelper" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\CurVer\ = "LegacyUpdate.ProgressBar.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\ = "Legacy Update Elevation Helper" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\ = "ProgressBarControl Class" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\Version = "1.0" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\ = "ProgressBarControl Class" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\HELPDIR | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638} | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\ = "ProgressBarControl Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID\ = "LegacyUpdate.ElevationHelper.1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\NumMethods\ = "9" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ = "Legacy Update Elevation Helper" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version\ = "1.0" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate.dll" | C:\Program Files\Legacy Update\LegacyUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\ = "Legacy Update Elevation Helper" | C:\Windows\System32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe
"C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe"
C:\Program Files\Legacy Update\LegacyUpdate.exe
"C:\Program Files\Legacy Update\LegacyUpdate.exe" /regserver 655990
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate.dll"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"
C:\Program Files\Legacy Update\LegacyUpdate.exe
"C:\Program Files\Legacy Update\LegacyUpdate.exe" /launch /firstrun
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4128 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | legacyupdate.net | udp |
| US | 172.67.217.41:443 | legacyupdate.net | tcp |
| US | 172.67.217.41:443 | legacyupdate.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | fe2cr.update.microsoft.com | udp |
| US | 132.196.74.209:443 | fe2cr.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | download.windowsupdate.com | udp |
| GB | 84.201.209.100:80 | download.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 150.171.28.10:443 | ieonline.microsoft.com | tcp |
Files
memory/3748-0-0x0000000000400000-0x0000000000487000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso69C8.tmp\LegacyUpdateNSIS.dll
| MD5 | 9faba20acb994499221c4066aa5bc043 |
| SHA1 | d19d76e98d0e433166d4c8f1f2b6ffbc9443548a |
| SHA256 | afaa11c241ad99d31fe29dc07a0d2190dc0490f21d3bd6399b87498ad1055ec4 |
| SHA512 | 3a8028e53259e193360b6fb7f49ac4f4ef9d8cf29b0681026ddfb4d5dc62cf35feea8184e05fccf212abf8e37da5b31c80e77ac323aab360ddd5fe827ca49224 |
C:\Users\Admin\AppData\Local\Temp\nso69C8.tmp\System.dll
| MD5 | 617f4e0a6c8782cfca9aee923fc7f8e4 |
| SHA1 | c907a6310e450f1ff9fd14c4afd10b70add8f2ee |
| SHA256 | 43a5e3313332eb6835290e99f37dc84de6991d62cd8cb285f1dea32f66d1507e |
| SHA512 | ef3fae21758358042a471b4c898bcda491b9e48edbe2f9f68c02c5f4d1e50313282323134916e5ad0b3b721f4c802d9aee77902831a580e5e54a1c2e36bbed2a |
C:\Program Files\Legacy Update\LegacyUpdate.exe
| MD5 | a658cd3da26882d5cafc03cb04f28828 |
| SHA1 | 952c0dd7b9a0a4fdaaf5a6bfd92649d76cec97f5 |
| SHA256 | e27c064ebb7c99ec65494d9371165f2b207e35cf2a5cd660e74223c0013e98c1 |
| SHA512 | 23ad1e341dae59e5edadc92d56b0da0a5729228b079e0e57a4232c7ba83789d77ce7daf713b219811692327a1507b6bce0ccbc5dc99c2e253bf78216df63230e |
C:\Program Files\Legacy Update\LegacyUpdate.dll
| MD5 | 74350e57247d8e2ca48f296167749f6b |
| SHA1 | 4c6a29a11b3238896c635159475ee75726191974 |
| SHA256 | b98d511ed5039d3b8c9bf02eb25155b3917f38234d4e38113209276cea46bce3 |
| SHA512 | 4fcc7d146a169b95e8839c92a79993a83203e47d8a293a96795b2b497d6cb39e0f702922d55514773d0992b7e11c63cfa7cccf755ae3becdbdfd4323f1f14054 |
C:\Program Files\Legacy Update\LegacyUpdate32.dll
| MD5 | a16b3a0f15a907da1a868b8e9842f1a4 |
| SHA1 | afd21759cfd0f68b765f3cd9365280094c8a618e |
| SHA256 | 9eb6498716330a0e1019316fc21261e1e81ccd319ed1a9c8d2555ecaeb0229ec |
| SHA512 | f95a1b2ffabf3795a1b77eb67506603d213391efc04ec4a1592f24af4297777763518bb9c0c7e4be975591125cec587e33e48ec39f2c2fd641abd33a83687015 |
memory/3512-26-0x00007FF6CA530000-0x00007FF6CA550000-memory.dmp
memory/3748-41-0x0000000000400000-0x0000000000487000-memory.dmp
memory/4556-43-0x00007FF6CA530000-0x00007FF6CA550000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UC61FFNV\favicon[1].ico
| MD5 | 234bff2200db4dd16e96bcb6ae5da9f0 |
| SHA1 | d348cd7dd3ab3b86cbd2548203186d0db6d4884e |
| SHA256 | 48282bd4c2ef47c6c51bab7011c8cef46395138d05ab83ac55b0415d64bcd277 |
| SHA512 | 3bf1867fba4d0b0d9e1f30d0fadd71cdc3de964da7743d0ad2129aa0a7e96f6c057070bb8a122dab8fefdfa72324c4149db97e5fd622fd018fbb08ce17d9edfe |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\xvqhvi3\imagestore.dat
| MD5 | b8bfd4f0b46a40ef47592936a1ff8671 |
| SHA1 | d5d743ac3f2bbd43c95733ba49b5e34c9e675db2 |
| SHA256 | 8c969228feaa34c8e0efcc6e0f3ab21961755f208e8676e2e7c871fe07117d4c |
| SHA512 | ff8fb95c910afa2f69da2ec0803bbe92bf4c24aa05a77eb73af21ec76dda18391c674b6f70451e395244efe1c266e9061eaf67b21360114758e7b3966a27b6af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0N5ANRLW\content[1].js
| MD5 | 3f5c85e6db94d3770df4d5316d368e48 |
| SHA1 | 62b31c769534010e8c4cd7697417a66356788993 |
| SHA256 | 20da3eca3de93ab83a58bb5b08b9ccf8022c863049dbdd069415171f4600099c |
| SHA512 | b99c2f369f32ce065878ddd69db947d2e6d351e745933a6946efa024e668692068318ef42e1623499a96a81de32c1a29557ae40c459b0cb999880db965f95013 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0N5ANRLW\content[1].css
| MD5 | 851da6986ad50596a4a737884c8a34f7 |
| SHA1 | 57694850292dac81b60de2946adeaee7a298d567 |
| SHA256 | cc90dadd7bbbe71807a845d9be7004c80552f0b6ac80c807e5e59752ea4a4ade |
| SHA512 | 9b26a790d244b45ee5f43f7c85c92e0597d0180972a898f3b851cae18e1848db527c9487635ba26a4a8a3b671535292ccf3cc12ea6ea44e0c3c04a67e59505ac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9BEQ95AA\hcp[1].css
| MD5 | 9b7ff692b36f18db4aba6662aac3bccb |
| SHA1 | ad579f3c5b37f4694892422436cb045d39640e8c |
| SHA256 | 2ba11644aa731e07ef950e9ec9649c30f76a03c660b93f69ef94f038c93eabd1 |
| SHA512 | c89475b95873f304d93238f6a369c81369b50b81a985c9c5e3ee085f9a362fdd6f5d9d20872ea1e00bc03b340b29197aa58db8a857b22c3fe453b9175274be0b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0
| MD5 | 1f12e0bf0132a75fa39048ac84b34b09 |
| SHA1 | 38c60f3cc4a2a6c0d57ffd2702e33452f329827a |
| SHA256 | 3a11f528a4cd6b959a784ee816170463b43fd58ac09b94c8fe4f095344a65968 |
| SHA512 | 4f8913a522cc1cf9b9a2c69be3ba158a6a128e275c1dae96bf675bec0ab31a3181cf453d5b2a018d41bebb4b295a1d1a1c947b28a69503fa354ab8ad4a13f677 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0
| MD5 | db3f2e41632254f91f7e5e41942d8ff0 |
| SHA1 | 7da106440ca2f41c46abf0c425b49bbce80a1cfb |
| SHA256 | 601e2bdca83d313ce5087a94b902e3a8237c1255e1221deeb40b3ae5c3a9d9d3 |
| SHA512 | 0cb09d9c84a09722a83150f24caf27cd72f873f77e765b45ac00b177c895f095d9126aafbba60aa3c54b2d3acbee104aa5d0ad1942aca4038586a2242528fbfe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9BEQ95AA\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral3
Detonation Overview
Submitted
2025-07-04 18:13
Reported
2025-07-04 18:16
Platform
win10v2004-20250619-en
Max time kernel
104s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3868 wrote to memory of 6080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3868 wrote to memory of 6080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3868 wrote to memory of 6080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LegacyUpdateNSIS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LegacyUpdateNSIS.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6080 -ip 6080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 652
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/6080-0-0x00000000749A0000-0x00000000749AB000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-07-04 18:13
Reported
2025-07-04 18:16
Platform
win11-20250619-en
Max time kernel
101s
Max time network
104s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4288 wrote to memory of 2452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4288 wrote to memory of 2452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4288 wrote to memory of 2452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LegacyUpdateNSIS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LegacyUpdateNSIS.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2452 -ip 2452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 508
Network
Files
memory/2452-0-0x0000000074B90000-0x0000000074B9B000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-07-04 18:13
Reported
2025-07-04 18:16
Platform
win11-20250610-en
Max time kernel
101s
Max time network
104s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 680 wrote to memory of 3576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 680 wrote to memory of 3576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 680 wrote to memory of 3576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3576 -ip 3576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 460
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-07-04 18:13
Reported
2025-07-04 18:16
Platform
win10v2004-20250610-en
Max time kernel
105s
Max time network
140s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ = "IElevationHelper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\ = "ProgressBarControl Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\ = "Legacy Update Elevation Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID\ = "LegacyUpdate.ElevationHelper.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\VersionIndependentProgID\ = "LegacyUpdate.ElevationHelper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ = "Legacy Update Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ = "IProgressBarControl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\IconReference = "@C:\\Program Files\\Legacy Update\\LegacyUpdate.exe,-100" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\CurVer\ = "LegacyUpdate.ElevationHelper.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1\ = "132497" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\NumMethods\ = "22" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ = "ILegacyUpdateCtrl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000_Classes\WOW6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LegacyUpdate.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID\ = "LegacyUpdate.Control.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\CLSID\ = "{84F517AD-6438-478F-BEA8-F0B808DC257F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\ = "LegacyUpdateCtrl Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LegacyUpdate.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4624 wrote to memory of 5596 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4624 wrote to memory of 5596 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4624 wrote to memory of 5596 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-07-04 18:13
Reported
2025-07-04 18:16
Platform
win11-20250619-en
Max time kernel
99s
Max time network
102s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\CurVer\ = "LegacyUpdate.ProgressBar.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ = "IElevationHelper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ = "IElevationHelper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\VersionIndependentProgID\ = "LegacyUpdate.ElevationHelper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LegacyUpdate.dll\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\ = "Legacy Update Elevation Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\IconReference = "@C:\\Program Files\\Legacy Update\\LegacyUpdate.exe,-100" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{3236E684-0E4B-4780-9F31-F1983F5AB78D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\CLSID\ = "{84F517AD-6438-478F-BEA8-F0B808DC257F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ = "Legacy Update Elevation Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\DllSurrogate | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID\ = "LegacyUpdate.Control.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ = "IProgressBarControl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\CurVer\ = "LegacyUpdate.ElevationHelper.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ProxyStubClsid32\ = "{3236E684-0E4B-4780-9F31-F1983F5AB78D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID\ = "LegacyUpdate.ElevationHelper.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LegacyUpdate.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ = "ILegacyUpdateCtrl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\CLSID\ = "{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\ = "ProgressBarControl Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3476 wrote to memory of 2036 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3476 wrote to memory of 2036 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3476 wrote to memory of 2036 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll