| File name: | lghub_installer.exe |
| Full analysis: | https://app.any.run/tasks/e4220bea-b9de-4067-8598-2c86696fb12f |
| Verdict: | Malicious activity |
| Analysis date: | May 24, 2025, 23:19:28 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 8 sections |
| MD5: | 589D4DBD3A35EDF9FE6A99CF0A5B66E9 |
| SHA1: | 0F74E5337C2D08B7546EAC8906508B85C6DEFFB5 |
| SHA256: | 5457CD50774DDEC45DB87F6A6355DFB0CDA56EDDCED3E1D9E65CB12EE796C2DA |
| SSDEEP: | 393216:WZE0qqFWVSqs8+GiqQ5Q46CtpJuPlP8+GiqQ5m+Sbs9ZUIJRSE89N+X0:aqbnJf468XuNUP+ys9LSkX0 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads the date of Windows installation
- lghub_installer.exe (PID: 7772)
- lghub_setup.exe (PID: 7888)
Reads security settings of Internet Explorer
- lghub_installer.exe (PID: 7772)
- lghub_setup.exe (PID: 7888)
- vc_redist.arm64.exe (PID: 8176)
Process drops legitimate windows executable
- lghub_setup.exe (PID: 7888)
- vc_redist.x64.exe (PID: 8008)
- vc_redist.x86.exe (PID: 8080)
- vc_redist.arm64.exe (PID: 8152)
- vc_redist.arm64.exe (PID: 8176)
- VC_redist.arm64.exe (PID: 7240)
Executable content was dropped or overwritten
- lghub_setup.exe (PID: 7888)
- vc_redist.x64.exe (PID: 8008)
- vc_redist.x64.exe (PID: 8032)
- vc_redist.x86.exe (PID: 8080)
- vc_redist.arm64.exe (PID: 8152)
- vc_redist.arm64.exe (PID: 8176)
- vc_redist.x86.exe (PID: 8104)
- VC_redist.arm64.exe (PID: 7240)
Starts a Microsoft application from unusual location
- vc_redist.x64.exe (PID: 8008)
- vc_redist.x64.exe (PID: 8032)
- vc_redist.x86.exe (PID: 8080)
- vc_redist.x86.exe (PID: 8104)
- vc_redist.arm64.exe (PID: 8152)
- vc_redist.arm64.exe (PID: 8176)
- VC_redist.arm64.exe (PID: 7240)
Searches for installed software
- vc_redist.x64.exe (PID: 8032)
- vc_redist.x86.exe (PID: 8104)
- vc_redist.arm64.exe (PID: 8176)
- dllhost.exe (PID: 496)
Executes as Windows Service
- VSSVC.exe (PID: 7248)
Starts itself from another location
- vc_redist.arm64.exe (PID: 8176)
INFO
Create files in a temporary directory
- lghub_installer.exe (PID: 7772)
- lghub_setup.exe (PID: 7888)
- vc_redist.x64.exe (PID: 8032)
- vc_redist.x86.exe (PID: 8104)
- vc_redist.arm64.exe (PID: 8176)
Reads the computer name
- lghub_installer.exe (PID: 7772)
- lghub_setup.exe (PID: 7888)
- vc_redist.x64.exe (PID: 8032)
- vc_redist.x86.exe (PID: 8104)
- vc_redist.arm64.exe (PID: 8176)
- VC_redist.arm64.exe (PID: 7240)
Process checks computer location settings
- lghub_installer.exe (PID: 7772)
- lghub_setup.exe (PID: 7888)
- vc_redist.arm64.exe (PID: 8176)
The sample compiled with english language support
- lghub_installer.exe (PID: 7772)
- lghub_setup.exe (PID: 7888)
- vc_redist.x64.exe (PID: 8008)
- vc_redist.x64.exe (PID: 8032)
- vc_redist.x86.exe (PID: 8104)
- vc_redist.arm64.exe (PID: 8152)
- vc_redist.arm64.exe (PID: 8176)
- vc_redist.x86.exe (PID: 8080)
- VC_redist.arm64.exe (PID: 7240)
Checks supported languages
- lghub_installer.exe (PID: 7772)
- lghub_setup.exe (PID: 7888)
- vc_redist.x64.exe (PID: 8008)
- vc_redist.x64.exe (PID: 8032)
- vc_redist.x86.exe (PID: 8080)
- vc_redist.x86.exe (PID: 8104)
- vc_redist.arm64.exe (PID: 8152)
- vc_redist.arm64.exe (PID: 8176)
- VC_redist.arm64.exe (PID: 7240)
Creates files or folders in the user directory
- lghub_setup.exe (PID: 7888)
Disables trace logs
- lghub_setup.exe (PID: 7888)
Reads the machine GUID from the registry
- lghub_setup.exe (PID: 7888)
Checks proxy server information
- lghub_setup.exe (PID: 7888)
Reads the software policy settings
- lghub_setup.exe (PID: 7888)
Reads Environment values
- lghub_setup.exe (PID: 7888)
Manages system restore points
- SrTasks.exe (PID: 7452)
Executable content was dropped or overwritten
- msiexec.exe (PID: 7624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:05:19 17:27:46+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.38 |
| CodeSize: | 189952 |
| InitializedDataSize: | 58685440 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x25d1c |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2025.4.9084.0 |
| ProductVersionNumber: | 2025.4.9084.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Logitech, Inc. |
| FileDescription: | Installer |
| FileVersion: | 2025.4.719084 |
| InternalName: | Logitech G HUB |
| LegalCopyright: | Copyright © Logitech, Inc. 2025 |
| ProductName: | Installer |
| ProductVersion: | 2025.4.719084 |
Total processes
143
Monitored processes
15
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 496 | C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6512 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7240 | "C:\WINDOWS\Temp\{CED8F4BD-AB0E-4519-8365-2875CDE488C0}\.be\VC_redist.arm64.exe" -q -burn.elevated BurnPipe.{304A4A9F-AB7A-470D-846C-C4C887039C5A} {2CCAE144-2D5C-41EB-A0F5-C1C31FD33D78} 8176 | C:\Windows\Temp\{CED8F4BD-AB0E-4519-8365-2875CDE488C0}\.be\VC_redist.arm64.exe | vc_redist.arm64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2022 Redistributable (Arm64) - 14.40.33810 Exit code: 1633 Version: 14.40.33810.0 Modules
| |||||||||||||||
| 7248 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7376 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7452 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | dllhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7624 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7772 | "C:\Users\admin\Desktop\lghub_installer.exe" | C:\Users\admin\Desktop\lghub_installer.exe | — | explorer.exe | |||||||||||
User: admin Company: Logitech, Inc. Integrity Level: MEDIUM Description: Installer Version: 2025.4.719084 Modules
| |||||||||||||||
| 7888 | "C:\Users\admin\AppData\Local\Temp\ghub-b433-d035-94f2-ff31-1917\lghub_setup.exe" | C:\Users\admin\AppData\Local\Temp\ghub-b433-d035-94f2-ff31-1917\lghub_setup.exe | lghub_installer.exe | ||||||||||||
User: admin Company: Logitech, Inc. Integrity Level: HIGH Description: Logitech G HUB Version: 2025.4.9084 Modules
| |||||||||||||||
| 8008 | "C:\Users\admin\AppData\Local\Temp\ghub-4zevovbf.sdh\vc_redist.x64.exe" /install /quiet /norestart | C:\Users\admin\AppData\Local\Temp\ghub-4zevovbf.sdh\vc_redist.x64.exe | lghub_setup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.24.28127 Exit code: 1638 Version: 14.24.28127.4 Modules
| |||||||||||||||
Total events
14 566
Read events
14 332
Write events
208
Delete events
26
Modification events
| (PID) Process: | (7888) lghub_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lghub_setup_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7888) lghub_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lghub_setup_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7888) lghub_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lghub_setup_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (7888) lghub_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lghub_setup_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (7888) lghub_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lghub_setup_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (7888) lghub_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lghub_setup_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (7888) lghub_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lghub_setup_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (7888) lghub_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lghub_setup_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7888) lghub_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lghub_setup_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7888) lghub_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lghub_setup_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
Executable files
18
Suspicious files
8
Text files
100
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7772 | lghub_installer.exe | C:\Users\admin\AppData\Local\Temp\ghub-b433-d035-94f2-ff31-1917\lghub_setup.exe | — | |
MD5:— | SHA256:— | |||
| 7888 | lghub_setup.exe | C:\Users\admin\AppData\Local\Temp\ghub-4zevovbf.sdh\vc_redist.arm64.exe | executable | |
MD5:8A18E318309DF2DDE09402720131DB1A | SHA256:15B8F5B2106DC7A7BD83AB57B796770E0F4ECB891AD19BF655C9D6A9DA650AD2 | |||
| 8032 | vc_redist.x64.exe | C:\Windows\Temp\{49EF3C5D-103E-4015-ADA9-B67BAB4AD3C1}\.ba\1036\thm.wxl | xml | |
MD5:7B46AE8698459830A0F9116BC27DE7DF | SHA256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4 | |||
| 7888 | lghub_setup.exe | C:\Users\admin\AppData\Local\Temp\ghub-4zevovbf.sdh\vc_redist.x64.exe | executable | |
MD5:BE433764FA9BBE0F2F9C654F6512C9E0 | SHA256:40EA2955391C9EAE3E35619C4C24B5AAF3D17AEAA6D09424EE9672AA9372AEED | |||
| 8032 | vc_redist.x64.exe | C:\Windows\Temp\{49EF3C5D-103E-4015-ADA9-B67BAB4AD3C1}\.ba\1028\license.rtf | text | |
MD5:B7F65A3A169484D21FA075CCA79083ED | SHA256:32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49 | |||
| 8032 | vc_redist.x64.exe | C:\Windows\Temp\{49EF3C5D-103E-4015-ADA9-B67BAB4AD3C1}\.ba\thm.xml | xml | |
MD5:F62729C6D2540015E072514226C121C7 | SHA256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916 | |||
| 8032 | vc_redist.x64.exe | C:\Windows\Temp\{49EF3C5D-103E-4015-ADA9-B67BAB4AD3C1}\.ba\1031\license.rtf | text | |
MD5:C2CFA4CE43DFF1FCD200EDD2B1212F0A | SHA256:F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B | |||
| 8032 | vc_redist.x64.exe | C:\Windows\Temp\{49EF3C5D-103E-4015-ADA9-B67BAB4AD3C1}\.ba\logo.png | image | |
MD5:D6BD210F227442B3362493D046CEA233 | SHA256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF | |||
| 8032 | vc_redist.x64.exe | C:\Windows\Temp\{49EF3C5D-103E-4015-ADA9-B67BAB4AD3C1}\.ba\thm.wxl | xml | |
MD5:FBFCBC4DACC566A3C426F43CE10907B6 | SHA256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE | |||
| 8032 | vc_redist.x64.exe | C:\Windows\Temp\{49EF3C5D-103E-4015-ADA9-B67BAB4AD3C1}\.ba\1029\thm.wxl | xml | |
MD5:16343005D29EC431891B02F048C7F581 | SHA256:07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
68
DNS requests
18
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 403 | 18.245.31.6:443 | https://util.logitech.io/brand | unknown | — | — | unknown |
— | — | POST | 200 | 34.120.195.249:443 | https://o311478.ingest.us.sentry.io/api/4507430762512384/envelope/ | unknown | binary | 2 b | whitelisted |
— | — | GET | 304 | 172.202.163.200:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
— | — | GET | 200 | 172.202.163.200:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
5164 | SIHClient.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5164 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
5164 | SIHClient.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
5164 | SIHClient.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
5164 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
5164 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
7888 | lghub_setup.exe | 34.120.195.249:443 | o311478.ingest.us.sentry.io | GOOGLE-CLOUD-PLATFORM | US | whitelisted |
7888 | lghub_setup.exe | 18.245.31.110:443 | util.logitech.io | — | US | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
5164 | SIHClient.exe | 4.245.163.56:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5164 | SIHClient.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5164 | SIHClient.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
o311478.ingest.us.sentry.io |
| whitelisted |
util.logitech.io |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |