File name:

LenovoLegionToolkitSetup.exe

Full analysis: https://app.any.run/tasks/b513c164-692b-4d47-a994-aacdd265120c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 07, 2024, 22:07:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A3CD2F8295368F0E375A048DE4CE46C4

SHA1:

4A5D78C1800D339B42D9F2DC065F8137E96C3554

SHA256:

089D04FFD06A702C9AD70C431608A53A81AA2DB600448CAED539C693D80F780E

SSDEEP:

98304:mrq3BdwZIgi1KokDU5bfkjLlYMwmMXl+/uXGqd3PH99NJuUvHLnkDqDlYN7IzWws:S0RJqMZGw9cMM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • LenovoLegionToolkitSetup.exe (PID: 6448)
      • LenovoLegionToolkitSetup.exe (PID: 6540)
      • dotnet8.exe (PID: 6396)
      • dotnet8.exe (PID: 6316)
      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • msiexec.exe (PID: 6044)

    • Changes the autorun value in the registry

      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • LenovoLegionToolkitSetup.tmp (PID: 6468)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • dotnet8.exe (PID: 6316)
      • Lenovo Legion Toolkit.exe (PID: 1536)

    • Reads the date of Windows installation

      • LenovoLegionToolkitSetup.tmp (PID: 6468)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • dotnet8.exe (PID: 6316)

    • Executable content was dropped or overwritten

      • LenovoLegionToolkitSetup.exe (PID: 6448)
      • LenovoLegionToolkitSetup.exe (PID: 6540)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • dotnet8.exe (PID: 6316)
      • dotnet8.exe (PID: 6396)
      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)

    • Reads the Windows owner or organization settings

      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • msiexec.exe (PID: 6044)

    • Command gets lists installed versions of .NET Runtime on the system

      • cmd.exe (PID: 6588)

    • Starts CMD.EXE for commands execution

      • LenovoLegionToolkitSetup.tmp (PID: 6564)

    • Starts a Microsoft application from unusual location

      • dotnet8.exe (PID: 6396)
      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)
      • dotnet8.exe (PID: 6316)

    • Searches for installed software

      • dotnet8.exe (PID: 6316)
      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)

    • Process drops legitimate windows executable

      • dotnet8.exe (PID: 6316)
      • dotnet8.exe (PID: 6396)
      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • msiexec.exe (PID: 6044)

    • Starts itself from another location

      • dotnet8.exe (PID: 6316)

    • Creates a software uninstall entry

      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6044)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 6044)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6044)

  • INFO

    • Reads the computer name

      • LenovoLegionToolkitSetup.tmp (PID: 6468)
      • LenovoLegionToolkitSetup.exe (PID: 6540)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • dotnet8.exe (PID: 6396)
      • dotnet8.exe (PID: 6316)
      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)
      • msiexec.exe (PID: 6044)
      • msiexec.exe (PID: 6260)
      • msiexec.exe (PID: 6172)
      • msiexec.exe (PID: 6420)
      • msiexec.exe (PID: 2648)
      • Lenovo Legion Toolkit.exe (PID: 1536)

    • Reads Environment values

      • LenovoLegionToolkitSetup.exe (PID: 6448)
      • LenovoLegionToolkitSetup.tmp (PID: 6468)
      • LenovoLegionToolkitSetup.exe (PID: 6540)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)

    • Checks supported languages

      • LenovoLegionToolkitSetup.tmp (PID: 6468)
      • LenovoLegionToolkitSetup.exe (PID: 6448)
      • LenovoLegionToolkitSetup.exe (PID: 6540)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • dotnet8.exe (PID: 6396)
      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)
      • dotnet8.exe (PID: 6316)
      • msiexec.exe (PID: 6044)
      • msiexec.exe (PID: 6172)
      • msiexec.exe (PID: 6260)
      • msiexec.exe (PID: 6420)
      • Lenovo Legion Toolkit.exe (PID: 1536)
      • msiexec.exe (PID: 2648)

    • Process checks computer location settings

      • LenovoLegionToolkitSetup.tmp (PID: 6468)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • dotnet8.exe (PID: 6316)
      • Lenovo Legion Toolkit.exe (PID: 1536)

    • Create files in a temporary directory

      • LenovoLegionToolkitSetup.exe (PID: 6448)
      • LenovoLegionToolkitSetup.exe (PID: 6540)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • dotnet8.exe (PID: 6316)
      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)

    • Checks proxy server information

      • LenovoLegionToolkitSetup.tmp (PID: 6564)

    • Reads the software policy settings

      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • msiexec.exe (PID: 6044)

    • Reads the machine GUID from the registry

      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)
      • msiexec.exe (PID: 6044)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6044)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • Lenovo Legion Toolkit.exe (PID: 1536)

    • Creates files in the program directory

      • windowsdesktop-runtime-8.0.5-win-x64.exe (PID: 6012)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)
      • Lenovo Legion Toolkit.exe (PID: 1536)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6044)
      • LenovoLegionToolkitSetup.tmp (PID: 6564)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Bartosz Cichecki
FileDescription: Lenovo Legion Toolkit Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Lenovo Legion Toolkit
ProductVersion: 2.23.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
15
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lenovolegiontoolkitsetup.exe lenovolegiontoolkitsetup.tmp no specs lenovolegiontoolkitsetup.exe lenovolegiontoolkitsetup.tmp cmd.exe no specs conhost.exe no specs dotnet8.exe dotnet8.exe windowsdesktop-runtime-8.0.5-win-x64.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs lenovo legion toolkit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1536"C:\Users\admin\AppData\Local\Programs\LenovoLegionToolkit\Lenovo Legion Toolkit.exe"C:\Users\admin\AppData\Local\Programs\LenovoLegionToolkit\Lenovo Legion Toolkit.exeLenovoLegionToolkitSetup.tmp
User:
admin
Company:
Lenovo Legion Toolkit
Integrity Level:
HIGH
Description:
Lenovo Legion Toolkit
Exit code:
201
Version:
2.23.1
Modules
Images
c:\users\admin\appdata\local\programs\lenovolegiontoolkit\lenovo legion toolkit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2648C:\Windows\syswow64\MsiExec.exe -Embedding 8FEB8C3E9A612CD29B1D285EDCB93418C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6012"C:\WINDOWS\Temp\{1F081906-A2FB-45EA-9F5D-F0CE36246F64}\.be\windowsdesktop-runtime-8.0.5-win-x64.exe" -q -burn.elevated BurnPipe.{692817C5-0F86-4E03-83D0-F435E5AB4104} {B8E8F7A9-562A-4611-8381-531A7C3F51AC} 6316C:\Windows\Temp\{1F081906-A2FB-45EA-9F5D-F0CE36246F64}\.be\windowsdesktop-runtime-8.0.5-win-x64.exe
dotnet8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Windows Desktop Runtime - 8.0.5 (x64)
Exit code:
0
Version:
8.0.5.33617
Modules
Images
c:\windows\temp\{1f081906-a2fb-45ea-9f5d-f0ce36246f64}\.be\windowsdesktop-runtime-8.0.5-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6044C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6172C:\Windows\syswow64\MsiExec.exe -Embedding 61E41E45495F7B87B56ADA791E3B6E8CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6260C:\Windows\syswow64\MsiExec.exe -Embedding 8C4A441D2F5EDA8DC48F742DC9B4C56DC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6316"C:\WINDOWS\Temp\{11F83922-CF98-441A-890F-FD686B1CD6F8}\.cr\dotnet8.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\is-9D8GF.tmp\dotnet8.exe" -burn.filehandle.attached=672 -burn.filehandle.self=680 /install /repair /passive /norestartC:\Windows\Temp\{11F83922-CF98-441A-890F-FD686B1CD6F8}\.cr\dotnet8.exe
dotnet8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Windows Desktop Runtime - 8.0.5 (x64)
Exit code:
0
Version:
8.0.5.33617
Modules
Images
c:\windows\temp\{11f83922-cf98-441a-890f-fd686b1cd6f8}\.cr\dotnet8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6396"C:\Users\admin\AppData\Local\Temp\is-9D8GF.tmp\dotnet8.exe" /install /repair /passive /norestartC:\Users\admin\AppData\Local\Temp\is-9D8GF.tmp\dotnet8.exe
LenovoLegionToolkitSetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Windows Desktop Runtime - 8.0.5 (x64)
Exit code:
0
Version:
8.0.5.33617
Modules
Images
c:\users\admin\appdata\local\temp\is-9d8gf.tmp\dotnet8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6420C:\Windows\syswow64\MsiExec.exe -Embedding 5A032045B6BB2C2518B22B670E731241C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6448"C:\Users\admin\Desktop\LenovoLegionToolkitSetup.exe" C:\Users\admin\Desktop\LenovoLegionToolkitSetup.exe
explorer.exe
User:
admin
Company:
Bartosz Cichecki
Integrity Level:
MEDIUM
Description:
Lenovo Legion Toolkit Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\lenovolegiontoolkitsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
Total events
20 739
Read events
19 772
Write events
916
Delete events
51

Modification events

(PID) Process:(6564) LenovoLegionToolkitSetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
A419000086056D2916E9DA01
(PID) Process:(6564) LenovoLegionToolkitSetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
00F7A5A5D277538A6548AA182A32AD3B3D9B64D168C66D17C33CE3099F31CABF
(PID) Process:(6564) LenovoLegionToolkitSetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6564) LenovoLegionToolkitSetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6564) LenovoLegionToolkitSetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6564) LenovoLegionToolkitSetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6564) LenovoLegionToolkitSetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6316) dotnet8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6316) dotnet8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6316) dotnet8.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
822
Suspicious files
79
Text files
33
Unknown types
7

Dropped files

PID
Process
Filename
Type
6564LenovoLegionToolkitSetup.tmpC:\Users\admin\AppData\Local\Temp\is-9D8GF.tmp\is-S6O5G.tmp
MD5:
SHA256:
6564LenovoLegionToolkitSetup.tmpC:\Users\admin\AppData\Local\Temp\is-9D8GF.tmp\dotnet8.exe
MD5:
SHA256:
6540LenovoLegionToolkitSetup.exeC:\Users\admin\AppData\Local\Temp\is-U3EHJ.tmp\LenovoLegionToolkitSetup.tmpexecutable
MD5:17BCDA6F3933B528690D77C1976D217F
SHA256:E0DD0C0790BC584E50F9A7F6D5E1F7432092B28A64E303E05C5A47B37E8FC8F6
6316dotnet8.exeC:\Windows\Temp\{1F081906-A2FB-45EA-9F5D-F0CE36246F64}\.ba\1029\thm.wxlxml
MD5:27411946EF45B3B8236319421770E5AD
SHA256:C92D3EFD72D6D14148F9931128EE4143AFFD1DA517EB358AB88ED4138C1434A4
6316dotnet8.exeC:\Windows\Temp\{1F081906-A2FB-45EA-9F5D-F0CE36246F64}\.ba\1031\thm.wxlxml
MD5:B45249A2238A5568B377E58D4CE89E9A
SHA256:0C4203A81DCD01D53378036AF78CFFCF9E9A5AF7754DFBDD56584AE74C21CC61
6396dotnet8.exeC:\Windows\Temp\{11F83922-CF98-441A-890F-FD686B1CD6F8}\.cr\dotnet8.exeexecutable
MD5:ADAA9ECA82C6B623A91AFA28C69D130D
SHA256:8B92EA1468357F5B176075B2693057C961A023A21E7898FB1DE4E8AD71CF2DC2
6316dotnet8.exeC:\Windows\Temp\{1F081906-A2FB-45EA-9F5D-F0CE36246F64}\.ba\1028\thm.wxlxml
MD5:B9428C94444693B5E3A392C8D0B95170
SHA256:C0413EDFD13FD27EEAB7B8CE60963668236466C48F4173C29F84093011C281AF
6316dotnet8.exeC:\Windows\Temp\{1F081906-A2FB-45EA-9F5D-F0CE36246F64}\.ba\1041\thm.wxlxml
MD5:E5FD798D4BBDD419A602423A699E2854
SHA256:00AEC52B4564BC07302881FCFD510F7CCA535AC9E05CFD95A86738171626F6C4
6316dotnet8.exeC:\Windows\Temp\{1F081906-A2FB-45EA-9F5D-F0CE36246F64}\.ba\1045\thm.wxlxml
MD5:8CFBEE02F1C88567CD9AA747FF27182E
SHA256:D92B3838DE7A1685CCBD04FC9C123704FBD198BFD284D8FAECE4A3663494E75A
6316dotnet8.exeC:\Windows\Temp\{1F081906-A2FB-45EA-9F5D-F0CE36246F64}\.ba\bg.pngimage
MD5:9EB0320DFBF2BD541E6A55C01DDC9F20
SHA256:9095BF7B6BAA0107B40A4A6D727215BE077133A190F4CA9BD89A176842141E79
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
15
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6044
msiexec.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
GET
200
68.232.34.200:443
https://download.visualstudio.microsoft.com/download/pr/0ff148e7-bbf6-48ed-bdb6-367f4c8ea14f/bd35d787171a1f0de7da6b57cc900ef5/windowsdesktop-runtime-8.0.5-win-x64.exe
unknown
executable
55.6 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2272
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5056
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6564
LenovoLegionToolkitSetup.tmp
68.232.34.200:443
download.visualstudio.microsoft.com
EDGECAST
US
whitelisted
6044
msiexec.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
download.visualstudio.microsoft.com
  • 68.232.34.200
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LenovoLegionToolkitSetup.exe