Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-wt691sw1g1
Target LegacyUpdate-1.111.exe
SHA256 b826a873c50c9cbf6cb52f6bfbf7efad03dbf56cf0928504e1b2b7100aab29ac
Tags
upx adware discovery persistence privilege_escalation ransomware spyware stealer
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

b826a873c50c9cbf6cb52f6bfbf7efad03dbf56cf0928504e1b2b7100aab29ac

Threat Level: Likely benign

The file LegacyUpdate-1.111.exe was found to be: Likely benign.

Malicious Activity Summary

upx adware discovery persistence privilege_escalation ransomware spyware stealer

UPX packed file

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Drops file in Program Files directory

Executes dropped EXE

Checks installed software on the system

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer start page

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 18:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 18:13

Reported

2025-07-04 18:16

Platform

win11-20250619-en

Max time kernel

99s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Legacy Update\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
File created C:\Program Files\Legacy Update\LegacyUpdate.dll C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
File created C:\Program Files\Legacy Update\LegacyUpdate.exe C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
N/A N/A C:\Program Files\Legacy Update\LegacyUpdate.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\ielowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppPath = "C:\\Program Files\\Legacy Update" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31190368" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c4600000000020000000000106600000001000020000000314b2deddce88ff889ad687ad2365c9e091ca34ceabf2a57ce9458d4d9142748000000000e80000000020000200000009b4d9e0d34afdfb82a3a6b377647825352f538b314c0f8713fd956bcaae9a5dd200000009426c6638b13b4f3119cda6478e477cb13cc355688567c799026d9410057f98c400000006c49473175bf2fe8c7f79eb3d9802c99d9d09813f982b6037566912329aadd456243b1e23bc0e7fe02e6b76f76de4a9e049c39bd516f1f32210e5f136420eef7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Recovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c46000000000200000000001066000000010000200000008c2ddee263f79e0c6fbf34862d0700734216737a141c07dcb3dc87912b066c21000000000e80000000020000200000005368ce34540bd7893ae12fcdae3286aa40799500a1d5f9bb1e7f5e7b981aad66100000007a04d527e736a65fe751ac245db7d19f4000000050f7216b301ba0b74f9e4a99d1b2d9b23dbbbcc60ae58496c8bf125f7a3af26cf0ec6caa208e09bc4b884f1057739365d033ad806acc8b2f5853055722c5296a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "4241851389" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\ = "11" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "458417817" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "amur9j7" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA4FD2F0-5902-11F0-A244-460C243BA2A1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b4dd7f0feddb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppName = "LegacyUpdate.exe" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982} C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = d65e9efb60e1db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c4600000000020000000000106600000001000020000000181ab717d81887d2953108dcb888f7dd8f5d06a2dc1072b3463df6de625183ef000000000e8000000002000020000000d50d1c37d4877df7c49396e15d73d3cf78315e2752bfb1e8b2c3bcf6c44a6a7b50000000d86a6a4b2cdd1d10e5bdc89393a732a628d5280c85c850be80121a84ba315c77d6c7299b28e5069a2167a758ba2d9c6769d95827a1786ee57f752a0894f02657a2a510112b75b86ba115444898506227400000003ab676cf968494d9bb6044908d0aaefdb4658f307f1bbc006d3607d92b1ec7299af882d8f5083e8d6a1de55735d673c2afa79089e23737fb206ae3865632441a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c46000000000200000000001066000000010000200000008058576c997b8608370d7d742647f0cc542936c777c7a9d8ccd968ebbc1638c2000000000e80000000020000200000000840bb992787dcd76152d469c6956b81e8e532a27c8e1bc1495e0d5ba1e649fe10000000d3b5076470f237fae1b74441bcde5c8340000000704ad817995d484ff57ef0a51d23f34b3fb0f20e24e9c0adfdec13ebe5ec74fc0c1a514b40f1c1e0a3fd0f03df59f66885c184b880c8563d07c6c6c3ed311b51 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = d65e9efb60e1db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c06934b96b47b4d8286911e75f36c460000000002000000000010660000000100002000000036630131a78788318248dc16e866534c67867164cf154673f5a67d1d42c0ba30000000000e80000000020000200000007e221b1f04ccbdabe618177bbc52c2a15f29b2871aa3ebf6208a25e8c6d5f43650000000eba2a401821bd44f32582773d5070f592aa66d9bddc118888a8b6c8ec2537cef07d49b5183a90f38ec886caadc9a9e83c09e9887669094c4b64a8bb572b25c1e9bd75c15f980e39e2069ec79cac743b340000000aa80324eef5ce5b6da1f3c02ea85a6fcebf488cee6a3956fcb04f22642d10df01594ff9257bf9f60e498e9319f9e58f187c183edc629950945f6c8d4628716d7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.22000.1\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "11" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\Total = "11" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ = "Legacy Update Control" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0 C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID\ = "LegacyUpdate.Control.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\CLSID\ = "{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID\ = "{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\0\win32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID\ = "LegacyUpdate.ElevationHelper.1" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\DllSurrogate C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ = "ILegacyUpdateCtrl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib C:\Windows\System32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32 C:\Windows\System32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000_Classes\CLSID C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\CLSID C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32 C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\VersionIndependentProgID\ = "LegacyUpdate.ElevationHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32 C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\CurVer\ = "LegacyUpdate.ElevationHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C}\InfoTip = "@\"C:\\Program Files\\Legacy Update\\LegacyUpdate.exe\",-4" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate.dll" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\LocalizedString = "@C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll,-1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\DllSurrogate C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus\1 C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control C:\Windows\System32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1 C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1\ = "132497" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\ = "0" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ = "Legacy Update Elevation Helper" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\InProcServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate.dll" C:\Windows\System32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32 C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus\ = "0" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control\ = "LegacyUpdateCtrl Class" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\VersionIndependentProgID C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638} C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C}\ShellFolder C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe C:\Program Files\Legacy Update\LegacyUpdate.exe
PID 1404 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe C:\Program Files\Legacy Update\LegacyUpdate.exe
PID 1492 wrote to memory of 4728 N/A C:\Program Files\Legacy Update\LegacyUpdate.exe C:\Windows\System32\regsvr32.exe
PID 1492 wrote to memory of 4728 N/A C:\Program Files\Legacy Update\LegacyUpdate.exe C:\Windows\System32\regsvr32.exe
PID 1492 wrote to memory of 4612 N/A C:\Program Files\Legacy Update\LegacyUpdate.exe C:\Windows\System32\regsvr32.exe
PID 1492 wrote to memory of 4612 N/A C:\Program Files\Legacy Update\LegacyUpdate.exe C:\Windows\System32\regsvr32.exe
PID 4612 wrote to memory of 4968 N/A C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4612 wrote to memory of 4968 N/A C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4612 wrote to memory of 4968 N/A C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1404 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe C:\Program Files\Legacy Update\LegacyUpdate.exe
PID 1404 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe C:\Program Files\Legacy Update\LegacyUpdate.exe
PID 3368 wrote to memory of 5040 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3368 wrote to memory of 5040 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3368 wrote to memory of 5040 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe

"C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe"

C:\Program Files\Legacy Update\LegacyUpdate.exe

"C:\Program Files\Legacy Update\LegacyUpdate.exe" /regserver 328220

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate.dll"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"

C:\Program Files\Legacy Update\LegacyUpdate.exe

"C:\Program Files\Legacy Update\LegacyUpdate.exe" /launch /firstrun

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3368 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 legacyupdate.net udp
US 172.67.217.41:443 legacyupdate.net tcp
US 172.67.217.41:443 legacyupdate.net tcp
GB 142.250.179.227:80 c.pki.goog tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 150.171.28.10:443 ieonline.microsoft.com tcp
US 150.171.28.10:443 ieonline.microsoft.com tcp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/1404-0-0x0000000000400000-0x0000000000487000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsc6220.tmp\LegacyUpdateNSIS.dll

MD5 9faba20acb994499221c4066aa5bc043
SHA1 d19d76e98d0e433166d4c8f1f2b6ffbc9443548a
SHA256 afaa11c241ad99d31fe29dc07a0d2190dc0490f21d3bd6399b87498ad1055ec4
SHA512 3a8028e53259e193360b6fb7f49ac4f4ef9d8cf29b0681026ddfb4d5dc62cf35feea8184e05fccf212abf8e37da5b31c80e77ac323aab360ddd5fe827ca49224

C:\Users\Admin\AppData\Local\Temp\nsc6220.tmp\System.dll

MD5 617f4e0a6c8782cfca9aee923fc7f8e4
SHA1 c907a6310e450f1ff9fd14c4afd10b70add8f2ee
SHA256 43a5e3313332eb6835290e99f37dc84de6991d62cd8cb285f1dea32f66d1507e
SHA512 ef3fae21758358042a471b4c898bcda491b9e48edbe2f9f68c02c5f4d1e50313282323134916e5ad0b3b721f4c802d9aee77902831a580e5e54a1c2e36bbed2a

C:\Program Files\Legacy Update\LegacyUpdate.exe

MD5 a658cd3da26882d5cafc03cb04f28828
SHA1 952c0dd7b9a0a4fdaaf5a6bfd92649d76cec97f5
SHA256 e27c064ebb7c99ec65494d9371165f2b207e35cf2a5cd660e74223c0013e98c1
SHA512 23ad1e341dae59e5edadc92d56b0da0a5729228b079e0e57a4232c7ba83789d77ce7daf713b219811692327a1507b6bce0ccbc5dc99c2e253bf78216df63230e

C:\Program Files\Legacy Update\LegacyUpdate.dll

MD5 74350e57247d8e2ca48f296167749f6b
SHA1 4c6a29a11b3238896c635159475ee75726191974
SHA256 b98d511ed5039d3b8c9bf02eb25155b3917f38234d4e38113209276cea46bce3
SHA512 4fcc7d146a169b95e8839c92a79993a83203e47d8a293a96795b2b497d6cb39e0f702922d55514773d0992b7e11c63cfa7cccf755ae3becdbdfd4323f1f14054

C:\Program Files\Legacy Update\LegacyUpdate32.dll

MD5 a16b3a0f15a907da1a868b8e9842f1a4
SHA1 afd21759cfd0f68b765f3cd9365280094c8a618e
SHA256 9eb6498716330a0e1019316fc21261e1e81ccd319ed1a9c8d2555ecaeb0229ec
SHA512 f95a1b2ffabf3795a1b77eb67506603d213391efc04ec4a1592f24af4297777763518bb9c0c7e4be975591125cec587e33e48ec39f2c2fd641abd33a83687015

memory/1492-26-0x00007FF75CCB0000-0x00007FF75CCD0000-memory.dmp

memory/1404-41-0x0000000000400000-0x0000000000487000-memory.dmp

memory/1240-43-0x00007FF75CCB0000-0x00007FF75CCD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W1JN9WZ6\favicon[1].ico

MD5 234bff2200db4dd16e96bcb6ae5da9f0
SHA1 d348cd7dd3ab3b86cbd2548203186d0db6d4884e
SHA256 48282bd4c2ef47c6c51bab7011c8cef46395138d05ab83ac55b0415d64bcd277
SHA512 3bf1867fba4d0b0d9e1f30d0fadd71cdc3de964da7743d0ad2129aa0a7e96f6c057070bb8a122dab8fefdfa72324c4149db97e5fd622fd018fbb08ce17d9edfe

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\amur9j7\imagestore.dat

MD5 b8bfd4f0b46a40ef47592936a1ff8671
SHA1 d5d743ac3f2bbd43c95733ba49b5e34c9e675db2
SHA256 8c969228feaa34c8e0efcc6e0f3ab21961755f208e8676e2e7c871fe07117d4c
SHA512 ff8fb95c910afa2f69da2ec0803bbe92bf4c24aa05a77eb73af21ec76dda18391c674b6f70451e395244efe1c266e9061eaf67b21360114758e7b3966a27b6af

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2FPEI6B1\PIE_IE9[1].js

MD5 c6d00873371110fdf87b3c2d85493610
SHA1 9be47c02adf06a4befc040751cea7016ba5f5dc0
SHA256 868c8cb616b608c4f82c10e979279f23c94773c100399e40e0238223d36a3927
SHA512 00aaa7a3b2b6b3d1d38789f228a280001b7287930e14c7dc6f1133ba524c5323aaead566e6a84bcf2ff429155f15d60b607898bbb10fafd63839f0487d9a6672

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J37ACQEP\activex[1].js

MD5 144e34b4f44464ccf7d396bed3a8d8ce
SHA1 aa60249c50b936e6a1c16c8c2fe87461c09150f5
SHA256 66c4353831b336853b4726c98585f73ab10189f4e47433f0fe25db48657d8902
SHA512 703455aab0a8720a423c1285f8d18845e48c5521cb2a4eed6951e980b76a34d30724f2e2a27b34a040bc1f2708ca349baaed5922bc77996fd73cdb86028bbd32

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J37ACQEP\jquery[1].js

MD5 10092eee563dec2dca82b77d2cf5a1ae
SHA1 65cbff4e9d95d47a6f31d96ab4ea361c1f538a7b
SHA256 e23a2a4e2d7c2b41ebcdd8ffc0679df7140eb7f52e1eebabf827a88182643c59
SHA512 cc92cf5a9b3a62a18af432fdffb81b76da84e2f43ce3c7800a919c10809118d0611e29a47f103ff3df18a54d5331bc5f06ef4771dc406cc763b30ff2a66a3e81

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CVT3CZ05\global[1].js

MD5 47223f34276f4bab4bfcbab937038e40
SHA1 a6a19505ba73acb1b65ff5e70a59d8fa7ca94286
SHA256 7d48e1ffb5354d10a3b00f15efa6a73aa3a9618a1e837cf44c1fad1fb0d204c8
SHA512 6d03319746851fd2f47141d44f05c54d0edc37fd67005982ac875a91445fd197a9b98da1544603a0ba0fc79a4bfe5f2d21d9f05337d4910e57dc158cc2406e30

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Temp\Kno9E1D.tmp

MD5 002d5646771d31d1e7c57990cc020150
SHA1 a28ec731f9106c252f313cca349a68ef94ee3de9
SHA256 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J37ACQEP\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral5

Detonation Overview

Submitted

2025-07-04 18:13

Reported

2025-07-04 18:16

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSxfer.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3436 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3436 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSxfer.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSxfer.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2776 -ip 2776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 672

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/2776-0-0x0000000074F70000-0x0000000074F82000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-07-04 18:13

Reported

2025-07-04 18:16

Platform

win11-20250502-en

Max time kernel

101s

Max time network

111s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSxfer.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3868 wrote to memory of 3568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3868 wrote to memory of 3568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3868 wrote to memory of 3568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSxfer.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSxfer.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3568 -ip 3568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 536

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

memory/3568-0-0x0000000075730000-0x0000000075742000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-07-04 18:13

Reported

2025-07-04 18:16

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4240 wrote to memory of 3208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4240 wrote to memory of 3208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4240 wrote to memory of 3208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3208 -ip 3208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 612

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 18:13

Reported

2025-07-04 18:16

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation C:\Program Files\Legacy Update\LegacyUpdate.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Legacy Update\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
File created C:\Program Files\Legacy Update\LegacyUpdate.dll C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
File created C:\Program Files\Legacy Update\LegacyUpdate.exe C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
N/A N/A C:\Program Files\Legacy Update\LegacyUpdate.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\ielowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "458417817" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31190287" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a99294cc0d6ed74b8afae24cc34a9c32000000000200000000001066000000010000200000005c968459e421c10fbf7df8a628b0394235e7b3ead89d0ac4e59fac7dd3e44414000000000e8000000002000020000000d188626017cc7b27aacea74ce7306a454238ff034b3fe679a3c05202ffaab87820000000f8f3109b477e6734f8f2289556a43e58ee04057b668588dbea3b5fb4305018c34000000098aa377b552ecb1b1d9ea4f08f4a01a5fc092cdd04396306643d472819b163661e4f94cf16dd94833fb5d0219afa8ee99e45391fe4209ed0853903e23e3d8ec5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppName = "LegacyUpdate.exe" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\ = "11" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2129262184" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982} C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982} C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "11" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31190287" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0044e47f0feddb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppPath = "C:\\Program Files\\Legacy Update" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AA5C4909-5902-11F0-B464-724A1EDA80BB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2129731050" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\legacyupdate.net\Total = "11" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a7da7f0feddb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a99294cc0d6ed74b8afae24cc34a9c32000000000200000000001066000000010000200000008f4b682ef0528d9467d166d54887d703ae07e469a90342e8889fd2db5996d1b5000000000e800000000200002000000027af786eda649b4cce05900574f7a3507f83ef9d28b23b5c32098bfa0d65775f20000000057a054cb0138da1756e622580db63299b46d3554f2a7652afd2d0da27d3db3340000000884faac6373638a7002712273a3f33a45f23d82683d31ff43a64ea34d279d9ecc20840fa792ad97df066d9e62bebd72ca26c7f74d8b2002648bace0cef513f77 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppPath = "C:\\Program Files\\Legacy Update" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D800943-0434-49F2-89A1-472A259AD982}\AppName = "LegacyUpdate.exe" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C}\Shell\Open C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\ = "Legacy Update Control" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\VersionIndependentProgID C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{3236E684-0E4B-4780-9F31-F1983F5AB78D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus\1\ = "131473" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LegacyUpdate.dll\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control\CurVer\ = "LegacyUpdate.Control.1" C:\Windows\System32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1 C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ = "ILegacyUpdateCtrl" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" C:\Windows\System32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\TypeLib C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\NumMethods C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFBE8D44-E9CF-4DD8-9FD6-976802C94D9C} C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\TypeLib C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\VersionIndependentProgID\ = "LegacyUpdate.Control" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\InProcServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate.dll" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\CurVer\ = "LegacyUpdate.ElevationHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID\ = "{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID\ = "LegacyUpdate.Control.1" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ = "IProgressBarControl" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LegacyUpdate.dll\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3236E684-0E4B-4780-9F31-F1983F5AB78D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\InProcServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate32.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib\Version = "1.0" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\CLSID\ = "{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ProxyStubClsid32 C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ = "IElevationHelper" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\CurVer\ = "LegacyUpdate.ProgressBar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\ = "Legacy Update Elevation Helper" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\ = "ProgressBarControl Class" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\Version = "1.0" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\ = "ProgressBarControl Class" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\HELPDIR C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638} C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\ = "ProgressBarControl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID\ = "LegacyUpdate.ElevationHelper.1" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\NumMethods\ = "9" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ = "Legacy Update Elevation Helper" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version\ = "1.0" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32\ = "C:\\Program Files\\Legacy Update\\LegacyUpdate.dll" C:\Program Files\Legacy Update\LegacyUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\ = "Legacy Update Elevation Helper" C:\Windows\System32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\System32\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3748 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe C:\Program Files\Legacy Update\LegacyUpdate.exe
PID 3748 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe C:\Program Files\Legacy Update\LegacyUpdate.exe
PID 3512 wrote to memory of 6140 N/A C:\Program Files\Legacy Update\LegacyUpdate.exe C:\Windows\System32\regsvr32.exe
PID 3512 wrote to memory of 6140 N/A C:\Program Files\Legacy Update\LegacyUpdate.exe C:\Windows\System32\regsvr32.exe
PID 3512 wrote to memory of 4012 N/A C:\Program Files\Legacy Update\LegacyUpdate.exe C:\Windows\System32\regsvr32.exe
PID 3512 wrote to memory of 4012 N/A C:\Program Files\Legacy Update\LegacyUpdate.exe C:\Windows\System32\regsvr32.exe
PID 4012 wrote to memory of 5712 N/A C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 5712 N/A C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 5712 N/A C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3748 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe C:\Program Files\Legacy Update\LegacyUpdate.exe
PID 3748 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe C:\Program Files\Legacy Update\LegacyUpdate.exe
PID 4128 wrote to memory of 3336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4128 wrote to memory of 3336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4128 wrote to memory of 3336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe

"C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe"

C:\Program Files\Legacy Update\LegacyUpdate.exe

"C:\Program Files\Legacy Update\LegacyUpdate.exe" /regserver 655990

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate.dll"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"

C:\Program Files\Legacy Update\LegacyUpdate.exe

"C:\Program Files\Legacy Update\LegacyUpdate.exe" /launch /firstrun

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4128 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 legacyupdate.net udp
US 172.67.217.41:443 legacyupdate.net tcp
US 172.67.217.41:443 legacyupdate.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 fe2cr.update.microsoft.com udp
US 132.196.74.209:443 fe2cr.update.microsoft.com tcp
US 8.8.8.8:53 download.windowsupdate.com udp
GB 84.201.209.100:80 download.windowsupdate.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 142.250.180.3:80 c.pki.goog tcp
US 150.171.28.10:443 ieonline.microsoft.com tcp

Files

memory/3748-0-0x0000000000400000-0x0000000000487000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso69C8.tmp\LegacyUpdateNSIS.dll

MD5 9faba20acb994499221c4066aa5bc043
SHA1 d19d76e98d0e433166d4c8f1f2b6ffbc9443548a
SHA256 afaa11c241ad99d31fe29dc07a0d2190dc0490f21d3bd6399b87498ad1055ec4
SHA512 3a8028e53259e193360b6fb7f49ac4f4ef9d8cf29b0681026ddfb4d5dc62cf35feea8184e05fccf212abf8e37da5b31c80e77ac323aab360ddd5fe827ca49224

C:\Users\Admin\AppData\Local\Temp\nso69C8.tmp\System.dll

MD5 617f4e0a6c8782cfca9aee923fc7f8e4
SHA1 c907a6310e450f1ff9fd14c4afd10b70add8f2ee
SHA256 43a5e3313332eb6835290e99f37dc84de6991d62cd8cb285f1dea32f66d1507e
SHA512 ef3fae21758358042a471b4c898bcda491b9e48edbe2f9f68c02c5f4d1e50313282323134916e5ad0b3b721f4c802d9aee77902831a580e5e54a1c2e36bbed2a

C:\Program Files\Legacy Update\LegacyUpdate.exe

MD5 a658cd3da26882d5cafc03cb04f28828
SHA1 952c0dd7b9a0a4fdaaf5a6bfd92649d76cec97f5
SHA256 e27c064ebb7c99ec65494d9371165f2b207e35cf2a5cd660e74223c0013e98c1
SHA512 23ad1e341dae59e5edadc92d56b0da0a5729228b079e0e57a4232c7ba83789d77ce7daf713b219811692327a1507b6bce0ccbc5dc99c2e253bf78216df63230e

C:\Program Files\Legacy Update\LegacyUpdate.dll

MD5 74350e57247d8e2ca48f296167749f6b
SHA1 4c6a29a11b3238896c635159475ee75726191974
SHA256 b98d511ed5039d3b8c9bf02eb25155b3917f38234d4e38113209276cea46bce3
SHA512 4fcc7d146a169b95e8839c92a79993a83203e47d8a293a96795b2b497d6cb39e0f702922d55514773d0992b7e11c63cfa7cccf755ae3becdbdfd4323f1f14054

C:\Program Files\Legacy Update\LegacyUpdate32.dll

MD5 a16b3a0f15a907da1a868b8e9842f1a4
SHA1 afd21759cfd0f68b765f3cd9365280094c8a618e
SHA256 9eb6498716330a0e1019316fc21261e1e81ccd319ed1a9c8d2555ecaeb0229ec
SHA512 f95a1b2ffabf3795a1b77eb67506603d213391efc04ec4a1592f24af4297777763518bb9c0c7e4be975591125cec587e33e48ec39f2c2fd641abd33a83687015

memory/3512-26-0x00007FF6CA530000-0x00007FF6CA550000-memory.dmp

memory/3748-41-0x0000000000400000-0x0000000000487000-memory.dmp

memory/4556-43-0x00007FF6CA530000-0x00007FF6CA550000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UC61FFNV\favicon[1].ico

MD5 234bff2200db4dd16e96bcb6ae5da9f0
SHA1 d348cd7dd3ab3b86cbd2548203186d0db6d4884e
SHA256 48282bd4c2ef47c6c51bab7011c8cef46395138d05ab83ac55b0415d64bcd277
SHA512 3bf1867fba4d0b0d9e1f30d0fadd71cdc3de964da7743d0ad2129aa0a7e96f6c057070bb8a122dab8fefdfa72324c4149db97e5fd622fd018fbb08ce17d9edfe

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\xvqhvi3\imagestore.dat

MD5 b8bfd4f0b46a40ef47592936a1ff8671
SHA1 d5d743ac3f2bbd43c95733ba49b5e34c9e675db2
SHA256 8c969228feaa34c8e0efcc6e0f3ab21961755f208e8676e2e7c871fe07117d4c
SHA512 ff8fb95c910afa2f69da2ec0803bbe92bf4c24aa05a77eb73af21ec76dda18391c674b6f70451e395244efe1c266e9061eaf67b21360114758e7b3966a27b6af

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0N5ANRLW\content[1].js

MD5 3f5c85e6db94d3770df4d5316d368e48
SHA1 62b31c769534010e8c4cd7697417a66356788993
SHA256 20da3eca3de93ab83a58bb5b08b9ccf8022c863049dbdd069415171f4600099c
SHA512 b99c2f369f32ce065878ddd69db947d2e6d351e745933a6946efa024e668692068318ef42e1623499a96a81de32c1a29557ae40c459b0cb999880db965f95013

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0N5ANRLW\content[1].css

MD5 851da6986ad50596a4a737884c8a34f7
SHA1 57694850292dac81b60de2946adeaee7a298d567
SHA256 cc90dadd7bbbe71807a845d9be7004c80552f0b6ac80c807e5e59752ea4a4ade
SHA512 9b26a790d244b45ee5f43f7c85c92e0597d0180972a898f3b851cae18e1848db527c9487635ba26a4a8a3b671535292ccf3cc12ea6ea44e0c3c04a67e59505ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9BEQ95AA\hcp[1].css

MD5 9b7ff692b36f18db4aba6662aac3bccb
SHA1 ad579f3c5b37f4694892422436cb045d39640e8c
SHA256 2ba11644aa731e07ef950e9ec9649c30f76a03c660b93f69ef94f038c93eabd1
SHA512 c89475b95873f304d93238f6a369c81369b50b81a985c9c5e3ee085f9a362fdd6f5d9d20872ea1e00bc03b340b29197aa58db8a857b22c3fe453b9175274be0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

MD5 1f12e0bf0132a75fa39048ac84b34b09
SHA1 38c60f3cc4a2a6c0d57ffd2702e33452f329827a
SHA256 3a11f528a4cd6b959a784ee816170463b43fd58ac09b94c8fe4f095344a65968
SHA512 4f8913a522cc1cf9b9a2c69be3ba158a6a128e275c1dae96bf675bec0ab31a3181cf453d5b2a018d41bebb4b295a1d1a1c947b28a69503fa354ab8ad4a13f677

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

MD5 db3f2e41632254f91f7e5e41942d8ff0
SHA1 7da106440ca2f41c46abf0c425b49bbce80a1cfb
SHA256 601e2bdca83d313ce5087a94b902e3a8237c1255e1221deeb40b3ae5c3a9d9d3
SHA512 0cb09d9c84a09722a83150f24caf27cd72f873f77e765b45ac00b177c895f095d9126aafbba60aa3c54b2d3acbee104aa5d0ad1942aca4038586a2242528fbfe

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9BEQ95AA\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-04 18:13

Reported

2025-07-04 18:16

Platform

win10v2004-20250619-en

Max time kernel

104s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LegacyUpdateNSIS.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3868 wrote to memory of 6080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3868 wrote to memory of 6080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3868 wrote to memory of 6080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LegacyUpdateNSIS.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LegacyUpdateNSIS.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6080 -ip 6080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 652

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/6080-0-0x00000000749A0000-0x00000000749AB000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2025-07-04 18:13

Reported

2025-07-04 18:16

Platform

win11-20250619-en

Max time kernel

101s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LegacyUpdateNSIS.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 2452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4288 wrote to memory of 2452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4288 wrote to memory of 2452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LegacyUpdateNSIS.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LegacyUpdateNSIS.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2452 -ip 2452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 508

Network

Files

memory/2452-0-0x0000000074B90000-0x0000000074B9B000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-07-04 18:13

Reported

2025-07-04 18:16

Platform

win11-20250610-en

Max time kernel

101s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 680 wrote to memory of 3576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 680 wrote to memory of 3576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 680 wrote to memory of 3576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3576 -ip 3576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 460

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-07-04 18:13

Reported

2025-07-04 18:16

Platform

win10v2004-20250610-en

Max time kernel

105s

Max time network

140s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ = "IElevationHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\ = "ProgressBarControl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\ = "Legacy Update Elevation Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID\ = "LegacyUpdate.ElevationHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\VersionIndependentProgID\ = "LegacyUpdate.ElevationHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ = "Legacy Update Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ = "IProgressBarControl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\IconReference = "@C:\\Program Files\\Legacy Update\\LegacyUpdate.exe,-100" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\CurVer\ = "LegacyUpdate.ElevationHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1\ = "132497" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\NumMethods\ = "22" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ = "ILegacyUpdateCtrl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LegacyUpdate.dll C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID\ = "LegacyUpdate.Control.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\CLSID\ = "{84F517AD-6438-478F-BEA8-F0B808DC257F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\ = "LegacyUpdateCtrl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LegacyUpdate.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 5596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4624 wrote to memory of 5596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4624 wrote to memory of 5596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-07-04 18:13

Reported

2025-07-04 18:16

Platform

win11-20250619-en

Max time kernel

99s

Max time network

102s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\CurVer\ = "LegacyUpdate.ProgressBar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ = "IElevationHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ = "IElevationHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\VersionIndependentProgID\ = "LegacyUpdate.ElevationHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LegacyUpdate.dll\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\ = "Legacy Update Elevation Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\IconReference = "@C:\\Program Files\\Legacy Update\\LegacyUpdate.exe,-100" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{3236E684-0E4B-4780-9F31-F1983F5AB78D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\CLSID\ = "{84F517AD-6438-478F-BEA8-F0B808DC257F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ = "Legacy Update Elevation Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\DllSurrogate C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID\ = "LegacyUpdate.Control.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ = "IProgressBarControl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\CurVer\ = "LegacyUpdate.ElevationHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ProxyStubClsid32\ = "{3236E684-0E4B-4780-9F31-F1983F5AB78D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID\ = "LegacyUpdate.ElevationHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LegacyUpdate.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ = "ILegacyUpdateCtrl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\CLSID\ = "{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\ = "ProgressBarControl Class" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 2036 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3476 wrote to memory of 2036 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3476 wrote to memory of 2036 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll

Network

Files

N/A