879e45078db5e25ff7d7f06162da04982b63fdb60a91b578626124c50186d26b

Resubmissions

06/10/2022, 12:44

221006-pyhc5ahdc6 8

06/10/2022, 12:40

221006-pwakhahdc4 8

Analysis

max time kernel
91s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2022, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LenovoLegionToolkitSetup.exe
Size

4.8MB
MD5

4bb04adada4e23c0bbb20ea5cbb744eb
SHA1

f4f270a57c89cfe44ea20cda0d6d83cd1b471ac9
SHA256

879e45078db5e25ff7d7f06162da04982b63fdb60a91b578626124c50186d26b
SHA512

c01a41d165a8ce4c912f60b6b4fc08791239b8a487e2537e49ce2d37251948fb98b24d4af6320aaa6cdee22cff6b5a0b96cfa2a190e1621f9923c037145eb558
SSDEEP

98304:7kLjeoEDK0ONsA41YOuEDb28kpgmCyKr3xZ2XilWDnE55ljf:w6oEDfQiYvE32Gy43xZ2Xt2nr

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
2436	LenovoLegionToolkitSetup.tmp
1780	netcorecheck_x64.exe
3948	dotnet60desktop_x64.exe
816	dotnet60desktop_x64.exe
4372	windowsdesktop-runtime-6.0.8-win-x64.exe
5004	Lenovo Legion Toolkit.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	LenovoLegionToolkitSetup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dotnet60desktop_x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Lenovo Legion Toolkit.exe

Loads dropped DLL 64 IoCs

pid	Process
816	dotnet60desktop_x64.exe
2824	MsiExec.exe
2824	MsiExec.exe
408	MsiExec.exe
408	MsiExec.exe
3564	MsiExec.exe
3564	MsiExec.exe
1788	MsiExec.exe
1788	MsiExec.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe
5004	Lenovo Legion Toolkit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	windowsdesktop-runtime-6.0.8-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ca35acb3-b442-44fb-924c-4448120bf689} = "\"C:\\ProgramData\\Package Cache\\{ca35acb3-b442-44fb-924c-4448120bf689}\\windowsdesktop-runtime-6.0.8-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-6.0.8-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Data.DataSetExtensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\coreclr.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\fr\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Net.WebHeaderCollection.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.IO.IsolatedStorage.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Web.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\ko\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\msquic.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\api-ms-win-crt-private-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\api-ms-win-core-fibers-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.ComponentModel.Annotations.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\pl\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\clrjit.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\.version	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\PenImc_cor3.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\es\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.8 (x64).swidtag	windowsdesktop-runtime-6.0.8-win-x64.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Threading.Thread.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Linq.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\fr\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\pl\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\es\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\api-ms-win-core-processthreads-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\it\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\System.Windows.Forms.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Text.Json.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Runtime.InteropServices.RuntimeInformation.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\zh-Hant\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\wpfgfx_cor3.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\tr\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\fr\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Numerics.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Net.NetworkInformation.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\pt-BR\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\pl\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\tr\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Data.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\zh-Hant\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\de\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Linq.Parallel.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Reflection.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\cs\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\cs\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\zh-Hans\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Xml.XPath.XDocument.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Reflection.Emit.Lightweight.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Net.NameResolution.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Net.WebProxy.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\de\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\zh-Hans\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\es\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\PresentationFramework.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\Microsoft.VisualBasic.Forms.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\ja\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\ja\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\System.Drawing.Design.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\fr\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\Microsoft.VisualBasic.Core.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\it\System.Windows.Forms.Design.resources.dll	msiexec.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIADC7.tmp	msiexec.exe
File created	C:\Windows\Installer\e5793cc.msi	msiexec.exe
File created	C:\Windows\Installer\e5793d0.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EB3983F9-3D60-456D-A11A-C1366C79AD3E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9971.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB65.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB52D.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6950FA03-8B88-4675-B685-FB21CA1762CC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB899.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5793d0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DD7.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3C3CA326-3F1D-43B7-B0AD-CBC06B2DED5A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB173.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB2A.tmp	msiexec.exe
File created	C:\Windows\Installer\e5793c7.msi	msiexec.exe
File created	C:\Windows\Installer\e5793d3.msi	msiexec.exe
File created	C:\Windows\Installer\e5793c4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5793c4.msi	msiexec.exe
File created	C:\Windows\Installer\e5793cb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e5793c8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBFEE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC500.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7CEA3ABF-FE24-42AF-ADE6-B4A3EE346743}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFBC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5793cc.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5793c8.msi	msiexec.exe
File created	C:\Windows\Installer\e5793cf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID675.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FBA3AEC742EFFA24DA6E4B3AEE437634\ProductName = "Microsoft .NET Runtime - 6.0.8 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\623AC3C3D1F37B340BDABC0CB6D2DEA5\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30AF059688B857646B58BF12AC7126CC\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30AF059688B857646B58BF12AC7126CC\SourceList\PackageName = "dotnet-host-6.0.8-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.35.45462_x64\ = "{3C3CA326-3F1D-43B7-B0AD-CBC06B2DED5A}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\623AC3C3D1F37B340BDABC0CB6D2DEA5\PackageCode = "775436CBE9E579E4C99A524F9F227C6E"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\623AC3C3D1F37B340BDABC0CB6D2DEA5\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{3C3CA326-3F1D-43B7-B0AD-CBC06B2DED5A}v48.35.45462\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30AF059688B857646B58BF12AC7126CC\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\PackageCode = "20A181425160AB347A0203A2F2507892"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_48.35.45540_x64	windowsdesktop-runtime-6.0.8-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\623AC3C3D1F37B340BDABC0CB6D2DEA5\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64	windowsdesktop-runtime-6.0.8-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9F3893BE06D3D6541AA11C63C697DAE3\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3D8B53D9DC55ACC7DCBFF21198B65299	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FBA3AEC742EFFA24DA6E4B3AEE437634\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\ = "{6950FA03-8B88-4675-B685-FB21CA1762CC}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.35.45540_x64\ = "{EB3983F9-3D60-456D-A11A-C1366C79AD3E}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.35.45462_x64	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.35.45462_x64\ = "{7CEA3ABF-FE24-42AF-ADE6-B4A3EE346743}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FBA3AEC742EFFA24DA6E4B3AEE437634	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA09DC07E8256FC5284912EAD0B2A9A8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30AF059688B857646B58BF12AC7126CC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FBA3AEC742EFFA24DA6E4B3AEE437634\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FBA3AEC742EFFA24DA6E4B3AEE437634\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{7CEA3ABF-FE24-42AF-ADE6-B4A3EE346743}v48.35.45462\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.35.45462_x64\Dependents	windowsdesktop-runtime-6.0.8-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\623AC3C3D1F37B340BDABC0CB6D2DEA5\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30AF059688B857646B58BF12AC7126CC\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Dependents\{ca35acb3-b442-44fb-924c-4448120bf689}	windowsdesktop-runtime-6.0.8-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\623AC3C3D1F37B340BDABC0CB6D2DEA5\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.35.45462_x64\Dependents	windowsdesktop-runtime-6.0.8-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\DisplayName = "Microsoft .NET Host - 6.0.8 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30AF059688B857646B58BF12AC7126CC\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30AF059688B857646B58BF12AC7126CC\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{6950FA03-8B88-4675-B685-FB21CA1762CC}v48.35.45462\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FBA3AEC742EFFA24DA6E4B3AEE437634\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FBA3AEC742EFFA24DA6E4B3AEE437634\SourceList\PackageName = "dotnet-runtime-6.0.8-win-x64.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{ca35acb3-b442-44fb-924c-4448120bf689}	windowsdesktop-runtime-6.0.8-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\623AC3C3D1F37B340BDABC0CB6D2DEA5\Version = "807645590"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30AF059688B857646B58BF12AC7126CC\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{EB3983F9-3D60-456D-A11A-C1366C79AD3E}v48.35.45540\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.35.45462_x64\Version = "48.35.45462"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FBA3AEC742EFFA24DA6E4B3AEE437634\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{7CEA3ABF-FE24-42AF-ADE6-B4A3EE346743}v48.35.45462\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30AF059688B857646B58BF12AC7126CC\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\Version = "807645668"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FBA3AEC742EFFA24DA6E4B3AEE437634\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\623AC3C3D1F37B340BDABC0CB6D2DEA5\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.35.45540_x64\Dependents	windowsdesktop-runtime-6.0.8-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\623AC3C3D1F37B340BDABC0CB6D2DEA5\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\30AF059688B857646B58BF12AC7126CC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8996AF45C13524D6BDA445BD7441F70C\9F3893BE06D3D6541AA11C63C697DAE3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ca35acb3-b442-44fb-924c-4448120bf689}\Dependents\{ca35acb3-b442-44fb-924c-4448120bf689}	windowsdesktop-runtime-6.0.8-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\623AC3C3D1F37B340BDABC0CB6D2DEA5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Dependents	windowsdesktop-runtime-6.0.8-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.35.45540_x64\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.8 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA09DC07E8256FC5284912EAD0B2A9A8\623AC3C3D1F37B340BDABC0CB6D2DEA5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\623AC3C3D1F37B340BDABC0CB6D2DEA5\SourceList\PackageName = "dotnet-hostfxr-6.0.8-win-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F3893BE06D3D6541AA11C63C697DAE3\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3900	msiexec.exe
3900	msiexec.exe
3900	msiexec.exe
3900	msiexec.exe
3900	msiexec.exe
3900	msiexec.exe
3900	msiexec.exe
3900	msiexec.exe
2436	LenovoLegionToolkitSetup.tmp
2436	LenovoLegionToolkitSetup.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeIncreaseQuotaPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeSecurityPrivilege	3900	msiexec.exe
Token: SeCreateTokenPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeLockMemoryPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeIncreaseQuotaPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeMachineAccountPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeTcbPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeSecurityPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeTakeOwnershipPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeLoadDriverPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeSystemProfilePrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeSystemtimePrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeProfSingleProcessPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeIncBasePriorityPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeCreatePagefilePrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeCreatePermanentPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeBackupPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeRestorePrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeShutdownPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeDebugPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeAuditPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeSystemEnvironmentPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeChangeNotifyPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeRemoteShutdownPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeUndockPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeSyncAgentPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeEnableDelegationPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeManageVolumePrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeImpersonatePrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeCreateGlobalPrivilege	4372	windowsdesktop-runtime-6.0.8-win-x64.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2436	LenovoLegionToolkitSetup.tmp
816	dotnet60desktop_x64.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 2436	4960	LenovoLegionToolkitSetup.exe	81
PID 4960 wrote to memory of 2436	4960	LenovoLegionToolkitSetup.exe	81
PID 4960 wrote to memory of 2436	4960	LenovoLegionToolkitSetup.exe	81
PID 2436 wrote to memory of 1780	2436	LenovoLegionToolkitSetup.tmp	82
PID 2436 wrote to memory of 1780	2436	LenovoLegionToolkitSetup.tmp	82
PID 2436 wrote to memory of 3948	2436	LenovoLegionToolkitSetup.tmp	93
PID 2436 wrote to memory of 3948	2436	LenovoLegionToolkitSetup.tmp	93
PID 2436 wrote to memory of 3948	2436	LenovoLegionToolkitSetup.tmp	93
PID 3948 wrote to memory of 816	3948	dotnet60desktop_x64.exe	94
PID 3948 wrote to memory of 816	3948	dotnet60desktop_x64.exe	94
PID 3948 wrote to memory of 816	3948	dotnet60desktop_x64.exe	94
PID 816 wrote to memory of 4372	816	dotnet60desktop_x64.exe	95
PID 816 wrote to memory of 4372	816	dotnet60desktop_x64.exe	95
PID 816 wrote to memory of 4372	816	dotnet60desktop_x64.exe	95
PID 3900 wrote to memory of 2824	3900	msiexec.exe	98
PID 3900 wrote to memory of 2824	3900	msiexec.exe	98
PID 3900 wrote to memory of 2824	3900	msiexec.exe	98
PID 3900 wrote to memory of 408	3900	msiexec.exe	99
PID 3900 wrote to memory of 408	3900	msiexec.exe	99
PID 3900 wrote to memory of 408	3900	msiexec.exe	99
PID 3900 wrote to memory of 3564	3900	msiexec.exe	100
PID 3900 wrote to memory of 3564	3900	msiexec.exe	100
PID 3900 wrote to memory of 3564	3900	msiexec.exe	100
PID 3900 wrote to memory of 1788	3900	msiexec.exe	101
PID 3900 wrote to memory of 1788	3900	msiexec.exe	101
PID 3900 wrote to memory of 1788	3900	msiexec.exe	101
PID 2436 wrote to memory of 5004	2436	LenovoLegionToolkitSetup.tmp	103
PID 2436 wrote to memory of 5004	2436	LenovoLegionToolkitSetup.tmp	103

C:\Users\Admin\AppData\Local\Temp\LenovoLegionToolkitSetup.exe
"C:\Users\Admin\AppData\Local\Temp\LenovoLegionToolkitSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\is-SNCKI.tmp\LenovoLegionToolkitSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SNCKI.tmp\LenovoLegionToolkitSetup.tmp" /SL5="$C0042,4195697,832512,C:\Users\Admin\AppData\Local\Temp\LenovoLegionToolkitSetup.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\is-CN4SK.tmp\netcorecheck_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-CN4SK.tmp\netcorecheck_x64.exe" Microsoft.WindowsDesktop.App 6.0.8
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\is-CN4SK.tmp\dotnet60desktop_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-CN4SK.tmp\dotnet60desktop_x64.exe" /lcid 1033 /passive /norestart
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\Temp\{A2365771-3C0F-4ECB-979B-7538F0E61845}\.cr\dotnet60desktop_x64.exe
      "C:\Windows\Temp\{A2365771-3C0F-4ECB-979B-7538F0E61845}\.cr\dotnet60desktop_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-CN4SK.tmp\dotnet60desktop_x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /lcid 1033 /passive /norestart
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\Temp\{D469E92B-2FA1-4651-83D1-B5D35764D627}\.be\windowsdesktop-runtime-6.0.8-win-x64.exe
        
        "C:\Windows\Temp\{D469E92B-2FA1-4651-83D1-B5D35764D627}\.be\windowsdesktop-runtime-6.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{5253AB21-2A05-404F-9E57-F17EA692E0FC} {1C744B16-C652-47AA-A6D7-5129E85778D3} 816
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
- - C:\Users\Admin\AppData\Local\Programs\LenovoLegionToolkit\Lenovo Legion Toolkit.exe
    "C:\Users\Admin\AppData\Local\Programs\LenovoLegionToolkit\Lenovo Legion Toolkit.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    PID:5004

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6110DFA7BCD2BC84E4F0A38164AE77A9
  2⤵
  - Loads dropped DLL
  PID:2824
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EACFC3B40A39A36722B7D9A547513699
  2⤵
  - Loads dropped DLL
  PID:408
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C195800166E111450BC9D8DAAC137A44
  2⤵
  - Loads dropped DLL
  PID:3564
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B28610AAF918FB4F7F78DD112C0F5668
  2⤵
  - Loads dropped DLL
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\host\fxr\6.0.8\hostfxr.dll

Filesize
366KB

MD5
4fc4fb4d77a7ef49ee5133b5b6a194ed

SHA1
8c63016cd28a0c3896ccb5f98d5aaa08a9e281d8

SHA256
cc39ab9baa38b4cf39dbc34dcc920202c69570baf67f4f947c02b8fdf0e61fc5

SHA512
5c647ce6a15a61d9bb10660aa29eafe5f2509cc63408efb3659b5036a21d268b9ffe825a4bf67d9c8e78005e7a414cc782a20538a135b9a8b0ed6329702c9fc7

Download Submit
C:\Program Files\dotnet\host\fxr\6.0.8\hostfxr.dll

Filesize
366KB

MD5
4fc4fb4d77a7ef49ee5133b5b6a194ed

SHA1
8c63016cd28a0c3896ccb5f98d5aaa08a9e281d8

SHA256
cc39ab9baa38b4cf39dbc34dcc920202c69570baf67f4f947c02b8fdf0e61fc5

SHA512
5c647ce6a15a61d9bb10660aa29eafe5f2509cc63408efb3659b5036a21d268b9ffe825a4bf67d9c8e78005e7a414cc782a20538a135b9a8b0ed6329702c9fc7

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\Microsoft.NETCore.App.deps.json

Filesize
32KB

MD5
1644ca5abb1da6551fe26c8b2712354c

SHA1
8194ce6de282c544d8425410a597f977bc84121e

SHA256
34ba41b6f99a70ab79fb22c9f352a8f0417c5b5e816d552d94af9c67335a08f2

SHA512
1bc53d61b3f40a6bb2063c122421ec4b43f6f710d596115370092321b548165a8185c945ddc98add56fe49a15ffb946fcf3b5113601e3a5631d84ef6f9527d48

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\Microsoft.NETCore.App.runtimeconfig.json

Filesize
159B

MD5
3fbd84a952d4bab02e11fec7b2bbc90e

SHA1
e92de794f3c8d5a5a1a0b75318be9d5fb528d07d

SHA256
1b7aa545d9d3216979a9efe8d72967f6e559a9c6a22288d14444d6c5c4c15738

SHA512
c97c1da7ae94847d4edf11625dc5b5085838c3842a550310cca5c70ba54be907ff454ca1e0080ba451eacfc5954c3f778f8b4e26c0933e55c121c86c9a24400b

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Private.CoreLib.dll

Filesize
10.1MB

MD5
1af8685bb8e67c6841b1f2150b0aec4c

SHA1
3b15c45109cbb61b1600bafede5275f1947934c5

SHA256
30a3a396ea1edd01ddbef642decf688def749c685880f4037c037d94aa7f0269

SHA512
404cdc52176cd34336c876fff884db6035b888da5d7ea102609317b4feca18a0d9ee882cf45cf317cbc3e8f1de339762bf03bd8a946fd04e23c21964e7a43686

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Private.CoreLib.dll

Filesize
10.1MB

MD5
1af8685bb8e67c6841b1f2150b0aec4c

SHA1
3b15c45109cbb61b1600bafede5275f1947934c5

SHA256
30a3a396ea1edd01ddbef642decf688def749c685880f4037c037d94aa7f0269

SHA512
404cdc52176cd34336c876fff884db6035b888da5d7ea102609317b4feca18a0d9ee882cf45cf317cbc3e8f1de339762bf03bd8a946fd04e23c21964e7a43686

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Private.CoreLib.dll

Filesize
10.1MB

MD5
1af8685bb8e67c6841b1f2150b0aec4c

SHA1
3b15c45109cbb61b1600bafede5275f1947934c5

SHA256
30a3a396ea1edd01ddbef642decf688def749c685880f4037c037d94aa7f0269

SHA512
404cdc52176cd34336c876fff884db6035b888da5d7ea102609317b4feca18a0d9ee882cf45cf317cbc3e8f1de339762bf03bd8a946fd04e23c21964e7a43686

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\System.Runtime.dll

Filesize
41KB

MD5
83e4f7a918fa3ee8e573423fbd18acf2

SHA1
fa1cc21b687c239b2d4ba276c538d6c33bde6045

SHA256
301cd1655c519d9b528eaf52b950f321b2462f6cc35a9ef8a0f91ce19eb5834d

SHA512
40b88c17eeaace6e5eb1bd86fb8d84b6d4e0d284bb749e7f9655d4949de8c0fb7a9aaedbeba6da5becdc92f687cec2c2a39da7cb162ec36322de70889b662dde

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\clrjit.dll

Filesize
1.4MB

MD5
1972eb629b743754e28318ecf7e04628

SHA1
783f6b6f1de5168cb21b3fb7d929ad6899524d06

SHA256
e0d30abf7dde33dfe2165f8e9e63220ff9f2738ea81570275e7f1fdceabdebaf

SHA512
db2fcc3b5b0426b22fe776b0edf78c23c0ab4706217c5dbf6d0823427ecb7e3225d8bf112f25b2e81edc8fec39805335c2e4331b0ce9217de8e5ca87069a0c7d

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\clrjit.dll

Filesize
1.4MB

MD5
1972eb629b743754e28318ecf7e04628

SHA1
783f6b6f1de5168cb21b3fb7d929ad6899524d06

SHA256
e0d30abf7dde33dfe2165f8e9e63220ff9f2738ea81570275e7f1fdceabdebaf

SHA512
db2fcc3b5b0426b22fe776b0edf78c23c0ab4706217c5dbf6d0823427ecb7e3225d8bf112f25b2e81edc8fec39805335c2e4331b0ce9217de8e5ca87069a0c7d

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\coreclr.dll

Filesize
4.9MB

MD5
136ae18a33f456a70463a396474f3600

SHA1
276a61e8222a3d77c238a22795268fcf27d9f1ac

SHA256
35ec15d344f99d4c076c2ca47751cb7aa9d0cf75227cc5e354ae7d7c00c0bf37

SHA512
a31f7d8196cbf9980c3bdfbe0443d455767392c9ff83c7e527f410e35ec14e563e19bceef74faf71b55ea987be66bafd4073dade56fe5afeede8a500bc61cf53

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\coreclr.dll

Filesize
4.9MB

MD5
136ae18a33f456a70463a396474f3600

SHA1
276a61e8222a3d77c238a22795268fcf27d9f1ac

SHA256
35ec15d344f99d4c076c2ca47751cb7aa9d0cf75227cc5e354ae7d7c00c0bf37

SHA512
a31f7d8196cbf9980c3bdfbe0443d455767392c9ff83c7e527f410e35ec14e563e19bceef74faf71b55ea987be66bafd4073dade56fe5afeede8a500bc61cf53

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\hostpolicy.dll

Filesize
383KB

MD5
8920df1b3ab0660090b204d2881fbb4e

SHA1
ec8ec146c4226aece015d3b00439d0b505083dd1

SHA256
5b72566804a8cb4ac2d5d28438a6d197456e29299758dae57140b1c5ab84bbb4

SHA512
3ef742965369ca788e2ac229bf3f19648cc145f0a12f36c64f3e617039f32bccc0f24bc9736519ef7c12cd4e18831678d021d0268801bed4b593cdea1ee35ed2

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\hostpolicy.dll

Filesize
383KB

MD5
8920df1b3ab0660090b204d2881fbb4e

SHA1
ec8ec146c4226aece015d3b00439d0b505083dd1

SHA256
5b72566804a8cb4ac2d5d28438a6d197456e29299758dae57140b1c5ab84bbb4

SHA512
3ef742965369ca788e2ac229bf3f19648cc145f0a12f36c64f3e617039f32bccc0f24bc9736519ef7c12cd4e18831678d021d0268801bed4b593cdea1ee35ed2

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.8\mscorrc.dll

Filesize
143KB

MD5
3f623a087ed2fd714c2763a8f7954583

SHA1
d7fe83ad5997619594daf1c88ef63281ecd19ecf

SHA256
5aa6b0f0a2b220053b2663b97ec91200c850bc207bb56a7bfb18fcb2ad9bdb6b

SHA512
0c08d799ebb7dff1979644be48fa66100977c50e86c092f42a8743c8e4530765b8f6bc6b9d89daaa34296d1ef9f281fab52fdd45bec51bf524c811154282d069

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\Microsoft.WindowsDesktop.App.deps.json

Filesize
30KB

MD5
25b6ef2cb17e447487b8b5628a040cce

SHA1
5f9b3c0a02327609e0209ae77e3b598947fc2621

SHA256
1cab24f12316381ee5c7ed1c1b87cc63142720505dad63d0233e32d1ac58d274

SHA512
fc18fa9c376f646da75d2cccb47880af2f3ea810cf78291e6ac4969cb79c25914a58ce7de5743ad61058eac0815ab80fcf6f4c9ae0adfbe605da5ba7c530d2c5

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\Microsoft.WindowsDesktop.App.runtimeconfig.json

Filesize
288B

MD5
98196982086322d19e15af69621801c9

SHA1
d482b22d9acaccf443393933c608d8445f2f49ee

SHA256
c5285402c7d738fdec246210332f3b0c7bab03875da7fb656d7872fb3fe8b504

SHA512
359698d0de4b05f80b26bd5ffbd8534d321e4a402dfde289fa5bf7b48825f3873cf1db881018c8b9f16fa02f7ff55e96d14b287517ea892072bde17a716cfd79

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\PresentationFramework.dll

Filesize
15.5MB

MD5
dd719cfff212f6b7bb52eda8bb4d40c6

SHA1
dff1a728aa2759cbe0abb03de1f079c429dd6eff

SHA256
25246ad282c8960ec980bee3651e80b0bd9b9c9c15fa2c43731d4d1ef309f6c9

SHA512
2d00767b2aab274e7c5fb68cfc89cd4b125557370ef96fd88289a1d7802544020dfa57da0c60f6c9df7f161c9c84a4adae535cd0fffd2db726885024293e8e1f

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\PresentationFramework.dll

Filesize
15.5MB

MD5
dd719cfff212f6b7bb52eda8bb4d40c6

SHA1
dff1a728aa2759cbe0abb03de1f079c429dd6eff

SHA256
25246ad282c8960ec980bee3651e80b0bd9b9c9c15fa2c43731d4d1ef309f6c9

SHA512
2d00767b2aab274e7c5fb68cfc89cd4b125557370ef96fd88289a1d7802544020dfa57da0c60f6c9df7f161c9c84a4adae535cd0fffd2db726885024293e8e1f

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\System.Xaml.dll

Filesize
1.4MB

MD5
93bec1198a4b46e566f6e44a164a837b

SHA1
3458ab682811d21a3e761b75ce453a5498ccafb2

SHA256
0676dbb9a0173ae925e18c6c6df53d8c8a054595dc128baa11036ccfa394d77d

SHA512
8ffa49c305bf15a046a95ac72e5fcaa868d0da721871382f654fac91335ebc366562b882f2976e9aba00248298a156734c9503d15c30bc0afaebd9c408dbdce1

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\System.Xaml.dll

Filesize
1.4MB

MD5
93bec1198a4b46e566f6e44a164a837b

SHA1
3458ab682811d21a3e761b75ce453a5498ccafb2

SHA256
0676dbb9a0173ae925e18c6c6df53d8c8a054595dc128baa11036ccfa394d77d

SHA512
8ffa49c305bf15a046a95ac72e5fcaa868d0da721871382f654fac91335ebc366562b882f2976e9aba00248298a156734c9503d15c30bc0afaebd9c408dbdce1

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\WindowsBase.dll

Filesize
2.2MB

MD5
f4454ebe54237727555b9d072363e397

SHA1
fc50be8a8b3e31ec7c8305471dd4c8da82b69dc0

SHA256
ee2d649d35da26a0cea0f68c003c0a416f85e39619428f1eb045d2f2b4fcd1b4

SHA512
936475cc808eb8ca4a318c95c7222e7b0a26c6bfbc786e19349b9323319c750dcb4105f9331b18db5d01bea17a101c2117d8a953ec3d795665ccf30b9753aa4e

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.8\WindowsBase.dll

Filesize
2.2MB

MD5
f4454ebe54237727555b9d072363e397

SHA1
fc50be8a8b3e31ec7c8305471dd4c8da82b69dc0

SHA256
ee2d649d35da26a0cea0f68c003c0a416f85e39619428f1eb045d2f2b4fcd1b4

SHA512
936475cc808eb8ca4a318c95c7222e7b0a26c6bfbc786e19349b9323319c750dcb4105f9331b18db5d01bea17a101c2117d8a953ec3d795665ccf30b9753aa4e

Download Submit
C:\Users\Admin\AppData\Local\Programs\LenovoLegionToolkit\Lenovo Legion Toolkit.deps.json

Filesize
17KB

MD5
8f5dd3ddf051a27113d08bb9bc468fcf

SHA1
417d43a67616d76fccf03656d83934011d005b27

SHA256
56ca6688b95f8c8e006074f32068317ee20a9e483eb508b20a1bfeefad20629d

SHA512
d68b19731fae26a68b14bf888721be5c583a70433f249b190ebc6b650a0a860364c2ecb18eec29e325f7c9f56553024947bd0d360281e3e3dfbfd3e785af83f5

Download Submit
C:\Users\Admin\AppData\Local\Programs\LenovoLegionToolkit\Lenovo Legion Toolkit.dll

Filesize
443KB

MD5
03b1f6f2592eda4d4601454cdd9be661

SHA1
80bd38537be3d5e26c78f5816bad501bd89d2d2c

SHA256
edaa00c4eada28ec444991fb1ba264c844cbbb319cd6c821dd6e5051beb485f0

SHA512
87faa6f6ef9772e4593e1797aad378f844365a036ce9ea675c4cc9c5219b72f195f2cc2bd7a1e6281ce9e05453b4f8d86bbb77b09b8c895f903797463eacced2

Download Submit
C:\Users\Admin\AppData\Local\Programs\LenovoLegionToolkit\Lenovo Legion Toolkit.dll

Filesize
443KB

MD5
03b1f6f2592eda4d4601454cdd9be661

SHA1
80bd38537be3d5e26c78f5816bad501bd89d2d2c

SHA256
edaa00c4eada28ec444991fb1ba264c844cbbb319cd6c821dd6e5051beb485f0

SHA512
87faa6f6ef9772e4593e1797aad378f844365a036ce9ea675c4cc9c5219b72f195f2cc2bd7a1e6281ce9e05453b4f8d86bbb77b09b8c895f903797463eacced2

Download Submit
C:\Users\Admin\AppData\Local\Programs\LenovoLegionToolkit\Lenovo Legion Toolkit.dll

Filesize
443KB

MD5
03b1f6f2592eda4d4601454cdd9be661

SHA1
80bd38537be3d5e26c78f5816bad501bd89d2d2c

SHA256
edaa00c4eada28ec444991fb1ba264c844cbbb319cd6c821dd6e5051beb485f0

SHA512
87faa6f6ef9772e4593e1797aad378f844365a036ce9ea675c4cc9c5219b72f195f2cc2bd7a1e6281ce9e05453b4f8d86bbb77b09b8c895f903797463eacced2

Download Submit
C:\Users\Admin\AppData\Local\Programs\LenovoLegionToolkit\Lenovo Legion Toolkit.exe

Filesize
188KB

MD5
e72b02d991218ec06cafbb31b1272304

SHA1
858648334a5e8e3d95301ad300bf5fea7774a8d9

SHA256
bfba46d296d77ef1c487ec8cd939ab5911a311c16596ac95bb33d89815beb9ee

SHA512
af4b501ceb2fc6951b343d65569d6183b1fd02af46f37688b8255aecb6d841a34a867fadc53b6d66737730f6c325cfb4fa8a6b1b81dcacae6143c89db8716ff8

Download Submit
C:\Users\Admin\AppData\Local\Programs\LenovoLegionToolkit\Lenovo Legion Toolkit.runtimeconfig.json

Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.8_(x64)_20221006144459_000_dotnet_runtime_6.0.8_win_x64.msi.log

Filesize
2KB

MD5
cf5651670f6868acd408db9d3eea2c49

SHA1
93deda9e188d0c4d1e43998ba6173c4208e3cb5c

SHA256
04d2230edfb97d2318a32d1c9e520f47e83f5c36f13fb499b149b4c8c0dd98bb

SHA512
798abed769782cf774a4957600ef4eea0a875f34df6d9a965acbd4c78558a3adc0a0e1eec35b2c7b89ce1ad3603656f1f76100881dbf8936af09312d84886508

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.8_(x64)_20221006144459_001_dotnet_hostfxr_6.0.8_win_x64.msi.log

Filesize
2KB

MD5
4dae97422ac8076528d30c24b2e4ed76

SHA1
299d8c6aca7c08f8073dfcfcae9dfbdcf94e783c

SHA256
2caaecf5c017385c864d19b5dce5891c042ed8924fe4ecc9aba9a2a14149f6c0

SHA512
da17ca20f6ecb98835da94439d5baed34ace4817c0242c2dd0661ae17f9e54a4b35610573ea8497350e0baa86d6254c240a11d7a3a4ed22f6397183b23066dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.8_(x64)_20221006144459_002_dotnet_host_6.0.8_win_x64.msi.log

Filesize
2KB

MD5
bcc943891d0f63c0fc2655e9617c5263

SHA1
a91d785c786744d802a55bc74a49ba8e4c925706

SHA256
e851aca68ec27557eb4410685f1ec78c215bd3d639412f3e7b9fb7fb3db4e4a6

SHA512
a40ef9f6e9bc8361432188f9079a1768123ed8d97d53c26b3f2f31e3633a31a0115904e6674c9c4710597a1908832ae9fd8aa1fcb5aaaa282bb5b6646dcf1f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.8_(x64)_20221006144459_003_windowsdesktop_runtime_6.0.8_win_x64.msi.log

Filesize
2KB

MD5
68ad74e67435dd7f9f9821a4f52fff93

SHA1
ba3d10f299ef13b09ae5ec545f528d159f3161a5

SHA256
e64a05490c361c36eee8fed24887e5ce9fccc5a7c9216d1e9ce21e0bc1321ee4

SHA512
25dbce06413fb03988e318cf5aff8b694c5fbd14b64091b4b683ef802c4ceabcb915d8e24642cc90b90b162d8dd0b86f4893cb1f18f284907df3c8bbd6ceea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CN4SK.tmp\dotnet60desktop_x64.exe

Filesize
55.2MB

MD5
3093812bb6e69c4b88007435595d16ff

SHA1
aba98aaa3db700d41eb067280f86f35b7ddea550

SHA256
7d30787fd4b338186a145aa5d2f4703a0ab02bbd29c46415cabca369b5195373

SHA512
53d5f38ebec2675d43c618c32533f3b8684384839b4bfa83902d06be535a56410255e26ee0a4844c170f7536be9039a126eebec8577a781b8a0c30c00a7ad20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CN4SK.tmp\dotnet60desktop_x64.exe

Filesize
55.2MB

MD5
3093812bb6e69c4b88007435595d16ff

SHA1
aba98aaa3db700d41eb067280f86f35b7ddea550

SHA256
7d30787fd4b338186a145aa5d2f4703a0ab02bbd29c46415cabca369b5195373

SHA512
53d5f38ebec2675d43c618c32533f3b8684384839b4bfa83902d06be535a56410255e26ee0a4844c170f7536be9039a126eebec8577a781b8a0c30c00a7ad20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CN4SK.tmp\netcorecheck_x64.exe

Filesize
140KB

MD5
de54c196cfe1bd90152460b6242f5ad3

SHA1
e1bc2721b1ba41b8157ce72bb6d56bf55b7b4785

SHA256
3b26fe9d187ce9e8275e970bd3884acaae4e0bbf7089759b3378ba44201a3b8b

SHA512
88a29b3788ad4da5f0581bc1e58dcd860060aaf1d3e3def3741d256652b8f257203e1e2b378dd7d38ae648f2efbd11268717a4107b4edb873babd8441b7f68d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CN4SK.tmp\netcorecheck_x64.exe

Filesize
140KB

MD5
de54c196cfe1bd90152460b6242f5ad3

SHA1
e1bc2721b1ba41b8157ce72bb6d56bf55b7b4785

SHA256
3b26fe9d187ce9e8275e970bd3884acaae4e0bbf7089759b3378ba44201a3b8b

SHA512
88a29b3788ad4da5f0581bc1e58dcd860060aaf1d3e3def3741d256652b8f257203e1e2b378dd7d38ae648f2efbd11268717a4107b4edb873babd8441b7f68d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SNCKI.tmp\LenovoLegionToolkitSetup.tmp

Filesize
3.0MB

MD5
6aec012f693d8b302b035e4e154a453a

SHA1
ba29940254a32818a688bc868f8cea4cecf61e2e

SHA256
5379c211841778c16cc8255152b92178f8054161e9443354a60c48ea03f8bfbe

SHA512
96d47426295967b788cfa3d0f5a0a387bd3c2830cfb7461b7860c0f2f23bc45b2c4781d743cb63a9cb0b30b86047cb1572ed1343b2e36820ad66c67267d956f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SNCKI.tmp\LenovoLegionToolkitSetup.tmp

Filesize
3.0MB

MD5
6aec012f693d8b302b035e4e154a453a

SHA1
ba29940254a32818a688bc868f8cea4cecf61e2e

SHA256
5379c211841778c16cc8255152b92178f8054161e9443354a60c48ea03f8bfbe

SHA512
96d47426295967b788cfa3d0f5a0a387bd3c2830cfb7461b7860c0f2f23bc45b2c4781d743cb63a9cb0b30b86047cb1572ed1343b2e36820ad66c67267d956f9

Download Submit
C:\Windows\Installer\MSI9971.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI9971.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIAB65.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIAB65.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIADC7.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIADC7.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIB173.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIB173.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIB52D.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIB52D.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIBB2A.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIBB2A.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIBFEE.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSIBFEE.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSID675.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSID675.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Temp\{A2365771-3C0F-4ECB-979B-7538F0E61845}\.cr\dotnet60desktop_x64.exe

Filesize
610KB

MD5
66b3596d1de143044c6b73e59dd11ff3

SHA1
d5adc16f67d7528255b1f239370696c109e7cca6

SHA256
cdcaac701828a2027b50f4a256d86b7f53498b7fcb3b53f8d9f0e8ac74866cd7

SHA512
2e50df4c06bef357c1c2ad25b2b350f9f01d55b5e0ad5b461a0b014acb73881645110c5f0c3e0307917cad99a12f0626ca38519c4928ebbd8d7dd290b355c3c7

Download Submit
C:\Windows\Temp\{A2365771-3C0F-4ECB-979B-7538F0E61845}\.cr\dotnet60desktop_x64.exe

Filesize
610KB

MD5
66b3596d1de143044c6b73e59dd11ff3

SHA1
d5adc16f67d7528255b1f239370696c109e7cca6

SHA256
cdcaac701828a2027b50f4a256d86b7f53498b7fcb3b53f8d9f0e8ac74866cd7

SHA512
2e50df4c06bef357c1c2ad25b2b350f9f01d55b5e0ad5b461a0b014acb73881645110c5f0c3e0307917cad99a12f0626ca38519c4928ebbd8d7dd290b355c3c7

Download Submit
C:\Windows\Temp\{D469E92B-2FA1-4651-83D1-B5D35764D627}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\Temp\{D469E92B-2FA1-4651-83D1-B5D35764D627}\.be\windowsdesktop-runtime-6.0.8-win-x64.exe

Filesize
610KB

MD5
66b3596d1de143044c6b73e59dd11ff3

SHA1
d5adc16f67d7528255b1f239370696c109e7cca6

SHA256
cdcaac701828a2027b50f4a256d86b7f53498b7fcb3b53f8d9f0e8ac74866cd7

SHA512
2e50df4c06bef357c1c2ad25b2b350f9f01d55b5e0ad5b461a0b014acb73881645110c5f0c3e0307917cad99a12f0626ca38519c4928ebbd8d7dd290b355c3c7

Download Submit
C:\Windows\Temp\{D469E92B-2FA1-4651-83D1-B5D35764D627}\.be\windowsdesktop-runtime-6.0.8-win-x64.exe

Filesize
610KB

MD5
66b3596d1de143044c6b73e59dd11ff3

SHA1
d5adc16f67d7528255b1f239370696c109e7cca6

SHA256
cdcaac701828a2027b50f4a256d86b7f53498b7fcb3b53f8d9f0e8ac74866cd7

SHA512
2e50df4c06bef357c1c2ad25b2b350f9f01d55b5e0ad5b461a0b014acb73881645110c5f0c3e0307917cad99a12f0626ca38519c4928ebbd8d7dd290b355c3c7

Download Submit
C:\Windows\Temp\{D469E92B-2FA1-4651-83D1-B5D35764D627}\dotnet_host_6.0.8_win_x64.msi

Filesize
736KB

MD5
e601c40760a5abaaa6f3426fce6b796b

SHA1
1fce0cebd73a756efb4d60d65a09219eb2f00e5a

SHA256
7643ae53ae1af3a4e62d30931b5e0a61d7a62a05fdf8c413b61d05ae0525a39e

SHA512
9515029d9aa1bf374518a011087f9ac6771c709020b6246aa6fb67b351c5cbe3b16bfc7e4c6a8b2654d0cd5b0c63c86aade86da4da661df7b60273d9ee6d16f6

Download Submit
C:\Windows\Temp\{D469E92B-2FA1-4651-83D1-B5D35764D627}\dotnet_hostfxr_6.0.8_win_x64.msi

Filesize
804KB

MD5
a8451034a2623cb2058bc47b9d461196

SHA1
db396777dbbb8c15731454ed7c68dcc63b46edf9

SHA256
143596186bfe0cb5dacab7b5b0a50e5d8e2a236faa6b8911702f24cb13e3e825

SHA512
b974bbc26397a27d7101b5c3a3321f6dad50cf1cd61aa844ce80208b9911566503b9e95bb6066dcc2dd2e02b4b4f866019d0afd86d2d1e894cc210cb72f1d455

Download Submit
C:\Windows\Temp\{D469E92B-2FA1-4651-83D1-B5D35764D627}\dotnet_runtime_6.0.8_win_x64.msi

Filesize
26.2MB

MD5
b8d0c9a8a471d78d7b6c4976ce22e3c0

SHA1
eff2d2f89b2873b582b13b19de23abf32384a167

SHA256
d6efb6ee0c9720e3256d7ef62b1db81d0a4bebb8615a14a06230e0bfe39cb92a

SHA512
cafa373b359fe0a68fcfe300424bbc3847c58cf3b407e420281a32e7c9be2c9ea89c08dda274feaacda07211cb30a16d13f7c4f3f6e08d2e83f883d5accfd956

Download Submit
C:\Windows\Temp\{D469E92B-2FA1-4651-83D1-B5D35764D627}\windowsdesktop_runtime_6.0.8_win_x64.msi

Filesize
28.6MB

MD5
de278f8bd9266240e83e6db16bba7044

SHA1
28ecc5f0abe0707f68def731495b068f9d4291e7

SHA256
0fdd572fb5599e13aa2b3748ec027e0df7d34aad5b761dfef3a120b03071221c

SHA512
974704de2877bed14dba480126d1744e7307c9186c3fe424bab1b05ce83b20d0fee753ca6b413e389805445a2f707979190710fe804c47bdbf1dec024d71ab63

Download Submit
memory/4960-132-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4960-210-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4960-140-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4960-134-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download