7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482

Analysis

max time kernel
153s
max time network
164s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
Size

986KB
MD5

07ba1578eb9a67706aedf0fcaa7e9412
SHA1

33ca06048cb0ea43e145c364168771e115fa2a60
SHA256

7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482
SHA512

ca4d0dd4b817dacdc0192a671493273b9c4ece1b2533c69b006df69cad6eec5d75bbe3b2d0207d688cdb01177ef53eaee32d0994deac34cae3c583e9227d224c
SSDEEP

24576:Gf/Z9arRbSnCS/ZmExYaEsAGSTU9twGTdK8kUu1hLMGR:ACFbSCSIEiLsA+92udK8bK7R

Score

8^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

lmi_rescue.exeLMI_Rescue_srv.exe

pid process

1956 lmi_rescue.exe
1788 LMI_Rescue_srv.exe
Loads dropped DLL 2 IoCs

Processes:

7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exelmi_rescue.exe

pid process

1476 7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
1956 lmi_rescue.exe

pid	process
1956	lmi_rescue.exe
1788	LMI_Rescue_srv.exe

pid	process
1476	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
1956	lmi_rescue.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lmi_rescue.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	lmi_rescue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_2752101725 = "\"C:\\Windows\\LMI4838.tmp\\lmi_rescue.exe\" -runonce reboot"	lmi_rescue.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lmi_rescue.exeLMI_Rescue_srv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmi_rescue.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LMI_Rescue_srv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

lmi_rescue.exe

description ioc process

File opened for modification \??\PhysicalDrive0 lmi_rescue.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	lmi_rescue.exe

Drops file in System32 directory 1 IoCs

Processes:

LMI_Rescue_srv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	LMI_Rescue_srv.exe

Drops file in Windows directory 13 IoCs

Processes:

7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exelmi_rescue.exeLMI_Rescue_srv.exe

description	ioc	process
File created	C:\Windows\LMI4838.tmp\LMI_Rescue_srv.exe	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
File opened for modification	C:\Windows\LMI4838.tmp\params.txt	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
File created	C:\Windows\LMI4838.tmp\logo.bmp	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
File opened for modification	C:\Windows\LMI4838.tmp\params.txt	lmi_rescue.exe
File opened for modification	C:\Windows\LMI4838.tmp\params.txt	LMI_Rescue_srv.exe
File created	C:\Windows\LMI4838.tmp\lmi_rescue.exe	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
File created	C:\Windows\LMI4838.tmp\ra64app.exe	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
File opened for modification	C:\Windows\LMI4838.tmp\LMI_Rescue_srv.exe	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
File created	C:\Windows\LMI4838.tmp\params.txt	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
File created	C:\Windows\LMI4838.tmp\rescue.ico	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
File opened for modification	C:\Windows\LMI4838.tmp\rescue.log	lmi_rescue.exe
File opened for modification	C:\Windows\LMI4838.tmp\rescue.log	LMI_Rescue_srv.exe
File created	C:\Windows\LMI4838.tmp\rahook.dll	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe

Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

468 bcdedit.exe

pid	process
468	bcdedit.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

LMI_Rescue_srv.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	LMI_Rescue_srv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	LMI_Rescue_srv.exe

Modifies registry class 64 IoCs

Processes:

LMI_Rescue_srv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR\ = "C:\\Windows\\LMI4838.tmp"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LMI_Rescue.exe"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS\ = "0"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32\ = "C:\\Windows\\LMI4838.tmp\\LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\ = "Rescue Com library"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "C:\\Windows\\LMI4838.tmp\\LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32 = "LMI_Rescue.exe"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_4286b2b8-7a8f-4d84-8813-aca9b73d2994"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\ = "LogMeIn Rescue Service"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\ = "LMI_Rescue_srv.exe"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LogMeIn Rescue GUI"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\RunAs = "Interactive User"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

lmi_rescue.exeLMI_Rescue_srv.exe

pid process

1956 lmi_rescue.exe
1788 LMI_Rescue_srv.exe

pid	process
1956	lmi_rescue.exe
1788	LMI_Rescue_srv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

lmi_rescue.exeLMI_Rescue_srv.exe

description	pid	process
Token: SeCreateGlobalPrivilege	1956	lmi_rescue.exe
Token: SeCreateGlobalPrivilege	1788	LMI_Rescue_srv.exe
Token: SeCreateGlobalPrivilege	1788	LMI_Rescue_srv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lmi_rescue.exe

pid process

1956 lmi_rescue.exe

pid	process
1956	lmi_rescue.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exeLMI_Rescue_srv.exe

description	pid	process	target process
PID 1476 wrote to memory of 1956	1476	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe	lmi_rescue.exe
PID 1476 wrote to memory of 1956	1476	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe	lmi_rescue.exe
PID 1476 wrote to memory of 1956	1476	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe	lmi_rescue.exe
PID 1476 wrote to memory of 1956	1476	7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe	lmi_rescue.exe
PID 1788 wrote to memory of 468	1788	LMI_Rescue_srv.exe	bcdedit.exe
PID 1788 wrote to memory of 468	1788	LMI_Rescue_srv.exe	bcdedit.exe
PID 1788 wrote to memory of 468	1788	LMI_Rescue_srv.exe	bcdedit.exe
PID 1788 wrote to memory of 468	1788	LMI_Rescue_srv.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe
"C:\Users\Admin\AppData\Local\Temp\7b2022b368d6930f91a360c1bbd5c98fce768b09cfff3c0a6e41ac7203c79482.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\LMI4838.tmp\lmi_rescue.exe
"C:\Windows\LMI4838.tmp\lmi_rescue.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\LMI4838.tmp\LMI_Rescue_srv.exe
"C:\Windows\LMI4838.tmp\LMI_Rescue_srv.exe" -service -sid 4286b2b8-7a8f-4d84-8813-aca9b73d2994
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe /deletevalue safeboot
2⤵
- Modifies boot configuration data using bcdedit
PID:468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LMI4838.tmp\LMI_Rescue_srv.exe
Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMI4838.tmp\LMI_Rescue_srv.exe
Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMI4838.tmp\lmi_rescue.exe
Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMI4838.tmp\lmi_rescue.exe
Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMI4838.tmp\logo.bmp
Filesize
7KB

MD5
4925bc92dac27cf1f12c26cf72002820

SHA1
14d36e8eb66ce3704cf347657adac7fc460178a6

SHA256
af1d81679b00a6c34b9c95d6919fa70d6d6d8ad2e6df3a466a6cff2a0cba6fc6

SHA512
d119d557afce5f5117877f404e3ed32d451148bfac03f46296c70b0f34eff7a55724555f9b1edd76d202b43eafcc74568ffdedd6e60cef07491d7afb603a19c9

Download Submit
C:\Windows\LMI4838.tmp\params.txt
Filesize
495B

MD5
1f6a9e1b30a5c2be74598f46e36d088a

SHA1
4f9f23bc5278286ee6a8da631e019836e2512df8

SHA256
8ac31a9ed3e14d0c7d43c99c6d56888b44e922a5f9eb61405eb6d959e6c18f75

SHA512
c8d38a296fe59b001f0031b5c101d292c4c7155ee2b4ec3667deb63e04fba87105b9e3acd03af237d4befa582e01fb86a5c779e9d1b067694afbf15ff5b79e00

Download Submit
C:\Windows\LMI4838.tmp\params.txt
Filesize
481B

MD5
ea6cccfef5df66423ca899b98f9bf728

SHA1
099677ca6df63542a11afe3cfb7aeaa239d0d062

SHA256
f4ee14c9449571bbeb2934b9ceaa4fc5f4692541f5c2e0af13f945c8d24ea5a9

SHA512
a3fae47276d223f80ea791a72d1068487e8a4fb88e6659ffe1b364d45f5be38e9f53d3e463ca4265f969e6b19132d9552420c5678b3ad24d18a953417e2e8e19

Download Submit
C:\Windows\LMI4838.tmp\ra64app.exe
Filesize
208KB

MD5
68df4da2cb339832b713d45bf4f2dec1

SHA1
13ea77ad5724e5c6edc44a0e872d85c3a93ea593

SHA256
636e0e368a66049eb2b1e688549f50e93258664f9a85f0477d5e1192242c25a8

SHA512
80d81ca71bc5c8d570b6cca8f8f815cfa6d8cd7a3dabd8d9da46656efc8f6a68be2f5e1ca14378a250e3f2886acb116309960b7fce26ed2ed33bd6d9006167ef

Download Submit
C:\Windows\LMI4838.tmp\rahook.dll
Filesize
173KB

MD5
a74e732e69462a88ab84963abe26e055

SHA1
67ed07198a8d95e10e4e2c1c31f065c229d62e7b

SHA256
d079268ff103765a4fdab0e4ad44f1b6b5fe00d1aad9931eef63fd682818396f

SHA512
fed6cea867b41c5a0ffc875b7b80dc2b5ce9f15b4fbefc2d7d3ff03f7f5f0278c4c933f0a2e26c9938b9426aff9763300be143f2fde42a9533c93b797aca7927

Download Submit
C:\Windows\LMI4838.tmp\rescue.ico
Filesize
48KB

MD5
51fa8f4746f1a481c5ea25931e99ed77

SHA1
76a78677e527a0564533d90ed16fe5d7da8102e2

SHA256
ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7

SHA512
c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
25KB

MD5
4996f595b19bab2b9c74eef8bf0b62ed

SHA1
46e0b282009725102fb4ac9ed860757e8dd0ad4e

SHA256
df998fb4482dc0c121a0edd379b50de5cc3bde15d1dbac42171ccbb6126837c2

SHA512
d547c3819fd1df24ff24d254ba286e74624f080367053d4fbbec07f154ef61546ef8d7954d92f3f23893aef773e2483d010e1e5937118eabc1360e64b3a33778

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
25KB

MD5
6d05cdc8d843634a414722926013dc73

SHA1
657bf411943fb8f82b4167627401f4ddb747fd5f

SHA256
4b62569730c22816bb62555697e7253899353899ed99db79aee7886aa281bc1a

SHA512
3ef25201333fe45eaa3c3b65d77d2a53f1a64f51a8acb5e42f03f613b2b994e3d021fc2fc675446966fe4e9d3db52654411b47f0126edbfcb180f9dc448b9def

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
25KB

MD5
2a53bbe13c9bec6ea5cc98fc1b0139fb

SHA1
3b5a5238fe7e15d0e5912933716c560eae9d5df7

SHA256
9f485e035927d96d2cf80725c43206aaef29d2dbc47fd02b370c0601f3f5d59d

SHA512
9443263f218ef2255ed165d692844767f4014d442ca6a0589878337907c239248f554fe5b4d7b89b5f77109472b638f1879d3dcfa3d70a5a3bf8509916edbd8a

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
28KB

MD5
7ef1343f0298806cc171c39957be2dcf

SHA1
3a921c6df19e2e58b9d5698c378acf4b6294f53a

SHA256
9459518cfccd88f9e302f51c2a31052c96bca399f6e8611143f83b2d6ed260f0

SHA512
0292c2749b0106bf668d3b46fd00fed53a2e177181d8c7d84033a3f9e16a84f79d1a81198c2193e9a8556ab2b5a4ae8659750998c3fc4ea2f4db0adc2dd01888

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
28KB

MD5
37ced9834fbd9bc15eac72f2ad4f946a

SHA1
76e9b408dcd1cd176daa1cc5a8de91dd820df82a

SHA256
c738cfcb88344a69235262dcc112d4c9c44cd53806a8da507ff0a2a66fcf9f47

SHA512
02fa6b75570eee69a63033ad32d6653f9c999bcc6ef084707a9909885136fbfa0bf105e68523a99fd8e9fa1cb56b334a498bf8a9847da5130256cc6b37d6a868

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
28KB

MD5
c2c50c23dd4fd917be9fb62ba6bfdb8a

SHA1
068005657a135fb84a87fc7464c0a7c5cd8721aa

SHA256
8b25e79ff9f087538116806582465c3e9e4c112d400d00054514787d63800230

SHA512
02df2441e8b3e69628f599a888e466ab6af07a214dbf7745fb7fa0ed127a1f210f3c52eee2512a3d37ee8a54abf466ccdd11f95e8f125cb94910a1433debdacd

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
3KB

MD5
be9fb98409add1a304e79a26eb29191f

SHA1
c6af566a77df5b0ff9e39c5e6b220252e81ec88b

SHA256
177bc8c4f0d3790cc0d52904e00a05f981ae28fdc9348d2a4a4743af5daeb4e2

SHA512
1f27200b42c284f196803b6a63d8a3fcb72e10e61886e9bf28daa86164c117025a5de6f48dbb61ea76e317f3e74cba81a3690db1d0e6b381e4d024d895370857

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
4KB

MD5
f58570f162ffe01cc36fef4d323e8ff2

SHA1
fc1592a56fd11f714fdba68259a935658044a35d

SHA256
67d82452e0036f6c645b9e2ed94dd1aa448dc4e14b9e25c70405b0e2b83992c2

SHA512
c3061e725368cbb58c4d93ff1e8c476a90444ffe1388fcc5523f314f947483e9776b4d5c7c484e593e43f27690536632fe157f45145fbe9210656ef4cb927389

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
4KB

MD5
cec0931177173cd4fc4b8cb0d5be5c6e

SHA1
c6a57b4668e4cde968f39926a8931820474c58da

SHA256
90ad6c66b029be4b1d9c53048970f72ad79773b91c678863132dd1c3fe2a5ef9

SHA512
b02ae21d2e4bd0f6431b7b23c45256b34dcb36217a99dc0e8f407b9a892499d099efbf84ebda2dcdb6f746b0220136230e88e2e6d524e316e215bde23b8b1222

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
6KB

MD5
3de097767bedd1bc13a3ecb258188439

SHA1
24553dcfd28f29508be1b6189f8b44f77f94d0c7

SHA256
8de89d1231b6607cbedbb2d598485aeb1203ac90797ad0cf4573a5104ef48207

SHA512
7fe2ec0af935f1cb4e63088d21f2d670371f60cb162131688fef96b2393906c910bbda9e8988399e9705a4a798f0e6a84f452dc401ab9fd7fecf853962444c19

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
7KB

MD5
ca05f7c8f65031c8087caf6ab8c216ff

SHA1
d6ca64cd93ba397144f8ed8db949ea5d60b5dc53

SHA256
cc02f1bac1a58f8a43c4069475360f4fcc0336ce2c8e64ab5f10a50cf00f3964

SHA512
bf4a639af4821ca26c433e9a362a20c725c09320a36acb17a681cc196f567e20830c59ac0e00571a66f3f671c51938d95bb5d4d943f210031eb64d4ab4f9f08a

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
7KB

MD5
ca05f7c8f65031c8087caf6ab8c216ff

SHA1
d6ca64cd93ba397144f8ed8db949ea5d60b5dc53

SHA256
cc02f1bac1a58f8a43c4069475360f4fcc0336ce2c8e64ab5f10a50cf00f3964

SHA512
bf4a639af4821ca26c433e9a362a20c725c09320a36acb17a681cc196f567e20830c59ac0e00571a66f3f671c51938d95bb5d4d943f210031eb64d4ab4f9f08a

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
7KB

MD5
aeb8cbcac4e2c67365f7ee593be16888

SHA1
6581bdb951a853fde54cc27ca85254e81492d467

SHA256
72334de7f02c4a7d97005b54e4b9274830f85ded5889fead5879b9d71ad855c1

SHA512
690edd36c2b439e466d8e640874c122cb9197fae59bc3d9f10a288c87322c0338c8b23adceed9ac71c4178d1025bf44c56c8145678db38e2a8f2bfb184e93e62

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
10KB

MD5
836dcaf8cb48bda883d40b6bbe2e9625

SHA1
06c92a0216bec9a1fc2aa10235accfcb881e4187

SHA256
fe07a8efcff3a65f3d8b1452058a11f2735456dd570dccc7bf9026e775fc2b63

SHA512
8d3a07d5113e29b6499316918b1b9e9e8e62dbc6749811cb6a7499c2bd9aa1bab62ebfe17a0e2d8738c278ab8dc42abb24f2fccdafd3f874ea2c95711f982ab9

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
10KB

MD5
076d834f1756ef561a904b48f2a939f3

SHA1
3b712ff87986c9b12e438d928a90109fcc592fba

SHA256
8b7e7bf4cd5731c6b7ad095d1b9714c455644dbed26d6ba16fd078cc5d03f6ae

SHA512
c66c719a95ef7e14fc1d4022ea797bc69a32d55a0a800fb31e87db4a0d8c503d271a5fda7920e49a3bb62522529664d40cecf43954a975fa8bed6ffb55d9f60d

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
10KB

MD5
68bf6b82e4548c47248a8f2fd14f911d

SHA1
c6e6cd7657cee7941928fe25e61a78b9639a83da

SHA256
c97df5a83335bd7b8482cce7f15936eccc37f70636b2664540299c9094aa671d

SHA512
e365d37f4e364427de6d6714aae9cd3055c4f048fcb27b66649b658b2b5832fa194a3d89396d49d05061341fa4ea8c8f2ef18fadd673dc56927db23a85ac6f10

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
10KB

MD5
ba54ed569a9de9190201a88f3380c7b3

SHA1
9f29c01f95ed253e977e0386b147cfa0c886ff63

SHA256
8d38b079dcf17645b3c4834f060af90472540a609aca1d26dc11930b6b65a15e

SHA512
55002fd51366d677b4f35a78559489e2494c87f6af3b2d0490379a88490cf96ba3f9bbc104c16bf39f87437b9556219d3e55e164b8973de15ba761e5dd4f2143

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
10KB

MD5
905703a97c7402a90a3cad1f72f79c14

SHA1
7406747f024933454e87b1e4dd30d463d56ee4be

SHA256
e4e26f77505abe5b1713642c1ec33fb3023f695f8b03ca0bbec1da85381a6c39

SHA512
17dc5b2e2f23eb27b490891ab0aae27b0467c913d1cfd3f368b50c14aef8f9d0a26b7924f003dce043c9228ba29e331311572b53fb897d9e0ba713cc36282334

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
10KB

MD5
c543015fafb71526225adaed0a5d30a2

SHA1
c0dc2969db5b6114b23cab82287da8b5cbfa2eed

SHA256
a5410f3f6cc6b10b1c5ac731f1ef1bbe5d7f49431a62c6f7f350a07f33beb65d

SHA512
ec418af05ec69f98472cf6f8a252fdfc03c1b8da1dd976c685df0ddbf7b0115515673a73544c4f4c38e3b13456f0e4a5acbd6279572bc3d9bbfd5b565eb05934

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
13KB

MD5
db1ec0c5d85fb7ff1f21266f957b50fc

SHA1
fa831bf3a211cab5451a3b31476d6052b9524147

SHA256
bd43906f5ae8374b1c4d2f149c32cbaf68180d818174d61e35b06a3ba06ee849

SHA512
9b4ebe575efde0eeea1280c6014e5874471dff5dcbce980f39cd7a7715b80badbddb0b315d6aff00588c99bc89efabd1e159b2ececd8e1bffa9d0711d1beb9a1

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
13KB

MD5
ee496721be688aa76d8836d178623219

SHA1
baa51f1c2826510470b14fb0d9a926ee8d642e1f

SHA256
74ad2aabdb88feff8d4ab7624de4156c065a3d6baa1f0fcd353c13eba1b4839f

SHA512
005f362f943fbb1b7d3cae224290670f30da81625003e0a0fbcd514cb6a06893558cb989166b5b2f76a2c293e242151415e52fb4b7fef0d96a9c7202f972b477

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
13KB

MD5
92b3d4b0f4368507cdb925936cc68842

SHA1
ab2106696baf8dcd1fc690e2a33e1b09e4d60e92

SHA256
df252d90870dbd16f9c36cd291dfe4cb2cc17cc493c23543b7cd7b80934c13cd

SHA512
6427524ef65704067b4ddd6254b61c04fc9d9ef8c56e59467f0eb956f9745d741e442936ecfbcb3cf38ac60f47d58755bd28cdef0d78f5497c94d90df415a265

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
13KB

MD5
7123b6752642590070a3d24ff5089dff

SHA1
2e61759892440d6a884e7c30e22efccdb54e1de7

SHA256
18fa2f58a798facc6f2281bc03ed76eae647332cd8cb84b2b250a7ef5a9d8df2

SHA512
82fb028b0599916be0790f53301a14f3a9931106905495cbf7c15f76701a0934e27a5bf3ac186d36686943cc5bd95781421332f3e41ee182f233dc1b04719bc6

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
16KB

MD5
85e6c9556f67a1b7263b68fdc62e5c00

SHA1
32856ce3020fe87a8876c8e84e76f206c50ff8f8

SHA256
4b9540cf7dcba7ce7962254d5b366e533b7473d1c394650553c079762d5cdefb

SHA512
831f4515698f5a49e45ad9215805d00a6717756d9c8a4da372e97ce76887eb2606b25ef952da64983739ee87fa12836a4761ff1b10c18e06fb3ee768f3d54de3

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
16KB

MD5
3551805dcd3ce3ac5e29a2018c97b631

SHA1
f5cbcc53fbaeca05c3838eb2da67dce0c1943275

SHA256
28bbe2183259e6ef869f3b5a3f1bd8c2f1b83940bd542690b8e4c7cc26b8aa60

SHA512
1c8950d8d621ce67b28d8c6942e7cf3e0d15ab72fe09d75b3a117e5fed8c5fbee78dccabf94ee38508219c3c73b53fdde62f5d2eb2f59348d6339eccf097b235

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
16KB

MD5
7ae0b61025ffa78fc9feaeeda07aa086

SHA1
69665e1a6d906ed8dc7f84f274edc51d84c75490

SHA256
534ed41c9fa3864ee9b05d58585ca7dc20ce7b0c0d2caa40853f0c431d438c73

SHA512
6e16404bfc296d406dcef5c38f921d726b004ed039f50b28cad005e5edaa54e0d6a79d9462a669eec2ab1c4170114fbb4ced20e649f06bb27a055a27bdf5405f

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
16KB

MD5
7acf570f1fee67e75de1f0aca73fd1d6

SHA1
c40548b684714e2bb2703a2052ed4872169710a1

SHA256
a5f299a0da0279d098e025a55a7d87943f756ef385b1c61f34a76a9af0e32fd7

SHA512
56f5d69eae40a5126d2f8f5a467e34c0c8d9e20e137984c51cf45022d9f067c3bec34f9104c1347dad33d30a0bac4e4ecacb139a453bbfcc7513379e416f5c68

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
19KB

MD5
18be1e941c2b4e71a751c9bfdeab4c80

SHA1
2ec0e184ed46e49b712f888e65f610606c470ba8

SHA256
ba963bbe29d59bcd45361853f4bc6d6afba02c423079a4d90156142bd69dea08

SHA512
eb8fedb03930e6afab7c8a9e46cb3dad8cef2fa3913cc634671c7fa042617dbb7295d75cd934c0d9e7a97cc2c5a2a847f8cffe8269560633cf0be6eb31853ff7

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
19KB

MD5
ac2c7580b41f0cf85855d9ca94a87f59

SHA1
87ac8a390e2eacc8caa1ac7b3c7256a45318ac42

SHA256
656f702f2f3ed3e03c7d98befe9035ca4241c85ccff53f6527f821416caa4262

SHA512
c0b6074a9649f95db72c7c6caefb9df2b11150bc15744f1db6d4b0aca26d3e70993766cab60a35054a964a2905e3769ed84e405a5223808d3caa3d396326b2c8

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
19KB

MD5
850828fc2fbf7ee1a1ade496e84e7256

SHA1
2f135d95622ee4146ecb3303e97e2fd1bfcd2e4b

SHA256
dcc3c141823cb71bf9090e8a7a2ae3fbc1fd8bb430c3897c59b8f7f98a00d4ee

SHA512
9562858e075e5117c818bd4ee3f84a906244fc25ef3bc58cb8681ee360f50bd9860043cfb68d2c4d40d15a48edae78610cc141902000b190f428078cbfde6b3e

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
19KB

MD5
1b17a34168e1fd7785fad42f4dcc61e5

SHA1
03f5a49d64eb0440527833f66b8a98214b80a407

SHA256
ae4974997e6c878e5ded33aaa39c9dacb22b65d1ded74b24165ec2a1da394c31

SHA512
c8d60419bb7eac32c3e44dc3e8b92fdb1fb8b8224f0d9530c00bf690a3d77da8221f5780401ed300879dcfbaf0fba56d36daddb565bdbf689215a2ce98379871

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
22KB

MD5
e5fdb59f212c40403ce15746f885aba8

SHA1
681a49ccac2a1150f9e3e0eb487300f5456fec36

SHA256
3bb996d02093781ba0265e094fcc92b9c634d9120063e5b6af0a3eed6d8fc926

SHA512
a22451333441fdd719b9b850c5265939a936a44c027fcf288ca6a16864fcdad3e0867cd8a4158fffd0395ed311e9f72b92c50e8352d3a704ffd5b641f9c1c3c3

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
22KB

MD5
61ba5cca3f8f3696ddafe843bb0d2834

SHA1
1106b9299f1b35e5df1d41304a526a34725c1fa6

SHA256
ea5d510f78a1a324823a19185dff893d95bfe0f3218053a97790c80f8d7a52bc

SHA512
c441cae9fb8eaaa794137f14c7c84f50ad0d9af92b1de420284d985505108f40e58ce7a2e64e949c7f6e300fba57656f81a76a34380150f9e17e3ba241d4f057

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
22KB

MD5
20d6366ab376248b7fbad8e30dc5b0ac

SHA1
1c17878770af113d2ecdac3bf76c00d1da5aa61b

SHA256
46c966ff6b5785d334b091e41cbd4ebb9bab450bb798860c12833d8473219d5f

SHA512
7ec5aaacd6113a5fca3e0f811856cb5abe5f2b51602c346f1f0643735f7545e6a7ffded53e24d293e48a57cc21f76205e85344ee69f420a2d99f61885da3c83f

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
22KB

MD5
c2ac9324023596b6d5fad7a4b381bf52

SHA1
61587a2d8675d6d3c5f83d75e7fbbf0247c530e8

SHA256
d32158bcba5a91248cb9d5be7e592029b7d39cb4e3420ddcc083a86895092fe8

SHA512
0bbedc1db67575cac0de3bed7c479a9c9728f6a761ddd3c8c6fd03547af94d2168287006b35bebad8fbf68050191cbe8e31be7529c8607b09fc940d9dff6bf1c

Download Submit
C:\Windows\LMI4838.tmp\rescue.log
Filesize
25KB

MD5
dac68c98b79edfff1d10c579f957387a

SHA1
7b480125344154b1ee9ffce52f74790730206aeb

SHA256
d9e127ef916364a9a8877cbf6ec5641de6756744eecc74d23f91407716671512

SHA512
731b245510a4bd765ecee678e8047c4e3c55000a26d4d336a7fafad477b313465bec3a97ae68b306434c31cd04cd42d91ae3b5b0176cfc23ca589a23a4148992

Download Submit
\Windows\LMI4838.tmp\lmi_rescue.exe
Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
\Windows\LMI4838.tmp\rahook.dll
Filesize
173KB

MD5
a74e732e69462a88ab84963abe26e055

SHA1
67ed07198a8d95e10e4e2c1c31f065c229d62e7b

SHA256
d079268ff103765a4fdab0e4ad44f1b6b5fe00d1aad9931eef63fd682818396f

SHA512
fed6cea867b41c5a0ffc875b7b80dc2b5ce9f15b4fbefc2d7d3ff03f7f5f0278c4c933f0a2e26c9938b9426aff9763300be143f2fde42a9533c93b797aca7927

Download Submit
memory/468-69-0x0000000000000000-mapping.dmp

Download
memory/1956-57-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1956-55-0x0000000000000000-mapping.dmp

Download