61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
Size

936KB
MD5

83886a33b7b682a23b68fff233edff50
SHA1

0e78ea3d1251da29ab9ce8184b39a7f0e080cc8c
SHA256

61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8
SHA512

49647b07742dc26058406723164a212f7d701421c9241ac1009c13b4e332476edf4acf762a1e00ffd4f1bd1c86d1148b469728f8eda9bbb5562ad7c8e9908171
SSDEEP

24576:Ps/Z9arRbSnCS/ZmExYaEsAGSTU9twGTdK8kUu1hLMP2:4CFbSCSIEiLsA+92udK8bK62

Score

8^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
980	lmi_rescue.exe
1164	LMI_Rescue_srv.exe

Loads dropped DLL 2 IoCs

pid	Process
1368	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
980	lmi_rescue.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	lmi_rescue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_4111620000 = "\"C:\\Windows\\LMI428D.tmp\\lmi_rescue.exe\" -runonce reboot"	lmi_rescue.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmi_rescue.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LMI_Rescue_srv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lmi_rescue.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	LMI_Rescue_srv.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\LMI428D.tmp\rahook.dll	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File created	C:\Windows\LMI428D.tmp\ra64app.exe	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File created	C:\Windows\LMI428D.tmp\LMI_Rescue_srv.exe	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File opened for modification	C:\Windows\LMI428D.tmp\LMI_Rescue_srv.exe	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File opened for modification	C:\Windows\LMI428D.tmp\params.txt	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File opened for modification	C:\Windows\LMI428D.tmp\rescue.log	lmi_rescue.exe
File opened for modification	C:\Windows\LMI428D.tmp\params.txt	lmi_rescue.exe
File created	C:\Windows\LMI428D.tmp\lmi_rescue.exe	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File created	C:\Windows\LMI428D.tmp\params.txt	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File created	C:\Windows\LMI428D.tmp\logo.bmp	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File created	C:\Windows\LMI428D.tmp\rescue.ico	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File opened for modification	C:\Windows\LMI428D.tmp\rescue.log	LMI_Rescue_srv.exe
File opened for modification	C:\Windows\LMI428D.tmp\params.txt	LMI_Rescue_srv.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
1976	bcdedit.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	LMI_Rescue_srv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	LMI_Rescue_srv.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32 = "LMI_Rescue.exe"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_c0704696-a1b3-47ad-8a7e-0c8ed7e06c1c"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "C:\\Windows\\LMI428D.tmp\\LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\RunAs = "Interactive User"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS\ = "0"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\ = "LogMeIn Rescue Service"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LMI_Rescue.exe"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_c0704696-a1b3-47ad-8a7e-0c8ed7e06c1c"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\ = "Rescue Com library"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LogMeIn Rescue GUI"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32\ = "C:\\Windows\\LMI428D.tmp\\LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR\ = "C:\\Windows\\LMI428D.tmp"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"	LMI_Rescue_srv.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
980	lmi_rescue.exe
1164	LMI_Rescue_srv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	980	lmi_rescue.exe
Token: SeCreateGlobalPrivilege	1164	LMI_Rescue_srv.exe
Token: SeCreateGlobalPrivilege	1164	LMI_Rescue_srv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
980	lmi_rescue.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 980	1368	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe	27
PID 1368 wrote to memory of 980	1368	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe	27
PID 1368 wrote to memory of 980	1368	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe	27
PID 1368 wrote to memory of 980	1368	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe	27
PID 1164 wrote to memory of 1976	1164	LMI_Rescue_srv.exe	29
PID 1164 wrote to memory of 1976	1164	LMI_Rescue_srv.exe	29
PID 1164 wrote to memory of 1976	1164	LMI_Rescue_srv.exe	29
PID 1164 wrote to memory of 1976	1164	LMI_Rescue_srv.exe	29

C:\Users\Admin\AppData\Local\Temp\61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
"C:\Users\Admin\AppData\Local\Temp\61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\LMI428D.tmp\lmi_rescue.exe
  "C:\Windows\LMI428D.tmp\lmi_rescue.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:980

C:\Windows\LMI428D.tmp\LMI_Rescue_srv.exe
"C:\Windows\LMI428D.tmp\LMI_Rescue_srv.exe" -service -sid c0704696-a1b3-47ad-8a7e-0c8ed7e06c1c
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe /deletevalue safeboot
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LMI428D.tmp\LMI_Rescue_srv.exe

Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMI428D.tmp\LMI_Rescue_srv.exe

Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMI428D.tmp\lmi_rescue.exe

Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMI428D.tmp\lmi_rescue.exe

Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMI428D.tmp\logo.bmp

Filesize
3KB

MD5
afbfcdb13124bc087501dfdb0b3d2d3d

SHA1
197bd2df5aa8d4987c0db8de46c624881cf49aee

SHA256
4fb876a42bbdbd6aae4d8a38960369183923a5654849b42677f1c0b04afa7da9

SHA512
55966b77998de857f06975b2cd2d33768e538aa463df406f3c73a9ef49ff26fcc4221fab924232be379d773c857499cb88565d9d3b699efd0fbe48fe7fb69404

Download Submit
C:\Windows\LMI428D.tmp\params.txt

Filesize
242B

MD5
3cbca6ee1aa7700b2c1b5ae15a800bb3

SHA1
3898e19c19e0f6d4e40ebcb5d0d4d6d393e3b31f

SHA256
6d88439028bde17f406712fe7491d50bdfb8a17ee080417b151acf3ce7083002

SHA512
f089a6068fcd9658e00dba8aeb9c7a04222e35d466aec98af06814df3c60ccd3d3f2d76d1966cc052943030068e61c7b9d171693138697b135f4ed839ded6bc4

Download Submit
C:\Windows\LMI428D.tmp\params.txt

Filesize
297B

MD5
596ddf8bfa28efd8dffe477980288353

SHA1
832b6463b3501967895c4e3c68b960b9d61cf575

SHA256
ab7f948bdfc3e8b7e06d2c18d24a5f6861efa23d3658e62695d7114ca01a3c84

SHA512
2782c0a3791efe84b0dfb29bca5cd79cce8327242c9207f18d44ec2959d7e237f5950ba8f316617babc3681ed6046ce59c8e6de3d1216a2385051261ca750f56

Download Submit
C:\Windows\LMI428D.tmp\ra64app.exe

Filesize
208KB

MD5
68df4da2cb339832b713d45bf4f2dec1

SHA1
13ea77ad5724e5c6edc44a0e872d85c3a93ea593

SHA256
636e0e368a66049eb2b1e688549f50e93258664f9a85f0477d5e1192242c25a8

SHA512
80d81ca71bc5c8d570b6cca8f8f815cfa6d8cd7a3dabd8d9da46656efc8f6a68be2f5e1ca14378a250e3f2886acb116309960b7fce26ed2ed33bd6d9006167ef

Download Submit
C:\Windows\LMI428D.tmp\rahook.dll

Filesize
173KB

MD5
a74e732e69462a88ab84963abe26e055

SHA1
67ed07198a8d95e10e4e2c1c31f065c229d62e7b

SHA256
d079268ff103765a4fdab0e4ad44f1b6b5fe00d1aad9931eef63fd682818396f

SHA512
fed6cea867b41c5a0ffc875b7b80dc2b5ce9f15b4fbefc2d7d3ff03f7f5f0278c4c933f0a2e26c9938b9426aff9763300be143f2fde42a9533c93b797aca7927

Download Submit
C:\Windows\LMI428D.tmp\rescue.ico

Filesize
1KB

MD5
3ea098064b51c0798caa341a1bd0dd66

SHA1
ac4e762994a6946c7b614fe7ef1b82ce76fa4ece

SHA256
81672c20b4a515cc5af55ec8526bad540b92aba41d2e3e106415471c59c17a23

SHA512
757a2ff128f24620bafdae37c6c4a9657e2fa0ef3e21f5ddcad665284e6288a4df53a47948fb16ba62e8860c5ec7c04a37d608c62702608bde08e0ddd28cbd41

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
27KB

MD5
5c2de050ffa8afab075d62bd9088ddbe

SHA1
6421e862d35e18be346838e0494d4b18bdb99faa

SHA256
038919a4b42f555091bb78a6c58df245571354865be7d2ed707bcbb826027415

SHA512
6725bc612c08242a60c23fd4a59e4510df397d3a9dbeca87a6f4fb833e5673ed1570d811ae154ae8bf5dddc6b5290da0919dc6d36de75e1f947326f37922d096

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
27KB

MD5
4289012114b8610110709be1cedec9e4

SHA1
d87b1a442d312b7cf731423e3f167c2b848b9d08

SHA256
140fc9520fb95b26a1769097ec3a05ed5a7408695bbb8323aaed6d4cd8a19987

SHA512
7e3fd97d3c0f06c49f544296fca9ad6e92509442f8899522ec6f36ce045e6707ae268ee13044ab142c68a681217c887eaf29891bacad55bbe2af144afb8d4d59

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
27KB

MD5
ae1e8b1853e460bcda71e1a9345d8b8d

SHA1
d0daa5dee3f016ce6ca41e484ed086cf4e7bef93

SHA256
6183b716f0ae4c2853818aaf06ba1eab1185abde3f88f47897a26e0264c76b28

SHA512
2e05cf79ae06479ccf2e8be3279769bd5058d990d5b0b6940ea6e2521eb5e6689e6ac0c2acb5c75d94130176711cbaca23b757b48a099361d71c30c35bb28e47

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
30KB

MD5
cbc44522036fe722ea9bede23b7e1a8a

SHA1
525b9720021785093e70f7f7576568984f856c20

SHA256
252ec1bf2978b28e1834b06922a34d924c89bfe34d3e9ba0e73487a882778307

SHA512
b2cd7ee667ee99199015c5563f46071870658bf5727cf210be98e4631e4ba19ed14a88f1bb7a41cc5daa554b85efe2e273f907a6acf3e630ceeae330260eaf22

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
30KB

MD5
35eaf1a24c9a44a4db02955fd75ab675

SHA1
95a88de71a2e2b6e80c17ac29d78d96a66232095

SHA256
98c44c6a0120fdb54067c5cfb540b9e88f08bb683af334f0855403a1ac29461e

SHA512
7ecca20446bb264e1382f2235d4f499bd3b611d3731008f39aa13e3480ad3017552a8b0369a1c13aaf2efb0387b35ad3cca338ae55894070b09fee298153796a

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
30KB

MD5
ad9856de5ce64f17ce29206efbf7736f

SHA1
93dd76aa07b3a2a80d33c2d0b997a612161c4dfb

SHA256
6d0270257c3c8b93f48db543b8aec7d214f031babc5be9cd543ac1b01a9eac5d

SHA512
bc98229bdf5f4381e25388eec7959213351d923a10315fad1e59caeb3d899d76cd8278d3d67a1c61d2a845690d89ba36ecb22d191b921e6b44c91120edc07dd7

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
30KB

MD5
468eb02f72d74c083010bada294b00a1

SHA1
117dfd1bbdf4e007a704b9548e540598464673c4

SHA256
1edb66132f6ad12f8023e6d2ea6bcfa940cf57de556e0f3bee95bcf48be5b7d5

SHA512
526e3d387b933d3a43037a4088ecdd4d1d682be869df6fbf1b34a10725e413c0c35a1b4d9a0fa33a1532bd87d82a54e745c471588e1086dfbeb951e7087bcd2e

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
33KB

MD5
2783dd1db9d32255ea475d4b5fa5ffcb

SHA1
92975d70a4023a5a6efd669ca781910612be6b16

SHA256
c724463cf227a547a7d53bc0133b46c3099625dcd5c2a35b9bfb2ec0b25cc9a9

SHA512
7b9f969469587252761c788a4e5df8ee745e21abed84d07eb9a25043a6e72c6b6e2d162690e7c84b2aa6f3302ff20fadc7f8e3761499e089b01172b0029c77be

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
33KB

MD5
a066c5502d1c4538c9d12bc84a1027e8

SHA1
31d01efd1ba21a23ddae8d342bc3c1e7c0e2700b

SHA256
7aa2899b2833454bb8a30f20cb8d53d6a49fccaf6793f8b076cfaa4806dbffbb

SHA512
f8e5a503674c6d496f5bb4a1f9ac3f9257d265c5f4639233fd7501945539eb284c3db0e18072124862657cdb6f68e46a19e00fdec5bf5440933c1bf78ff46b1e

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
33KB

MD5
84903bbfb3da633ed2f760e458e31cde

SHA1
20511864430ce4375668a27edfd56303eb5ed786

SHA256
c34b0944a09186222cd8b28e9fb2bbf936500f6aaf4abec561adaaeecd9dfa8f

SHA512
a842ea56a1aed219f6a57e4b78c8cf9d508745760fca36fbf222da1e66795045afbb0e933c97314c4a9522e855f79dfb4d7d1c64be09cf4bca8176c0155019b8

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
33KB

MD5
4a2d7d72556ee7deb18664bc2041199d

SHA1
8e03bb24478684794968b012c9b76407ea4c7966

SHA256
a71301705421d6f240ba4690cd347a037d0f483b468b475d1abff4ce0a657b4b

SHA512
f5343d44c1985e1ab885f9ebdde1bad78dec2feb9957049937d6a5a4e386e7162713030c5b24d6671c9f8c7f1b9dcf87e3fa4ca468fd84cdb7c8720c8588e6c7

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
36KB

MD5
f5d1bffca38ed999e59c266db441b705

SHA1
e52c5d5fa57a612045d8c4cbd92f001c40b941a6

SHA256
b666656a3d144372124759d965cd8f137ed2766940054ac3dc4c25de20f58ce5

SHA512
d465f08e326dc4a63c0e9c5325928f9c54f108252e2a4f6b86e85a005d47575c24238918689623e7f6c33a56213a8a43125683326b5aa008d7393384a50ba36b

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
36KB

MD5
6308cb626b3c3a9873a5b4effe2ac1db

SHA1
747a83f4465f47e6aca6f9232c2e922c9cb1f516

SHA256
c8c552c6cab1a2ff7ae037b11160d2ff5506ef3d38c28b05353329f1520e5a60

SHA512
aabe05f3f20952fa8f4df69c2981fdf215a128b8a4dab88a185fdeb682b3da4feb0113a0078d257b243747580f5539d271f087164f523ff97e881c23af5ed1ed

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
36KB

MD5
8140679356c5d31654bb3547225234ac

SHA1
d2d77a076c943fb3a08d8435442b51a01eadc2e6

SHA256
6b708a6afc33554ffa86bad84af476dd7feca33bcf78fe83d65fcf01812e4761

SHA512
a0df2f1e57f9cdcd9eef26d4e49d21a3e2ac8e8bf130d70b4fc7bda4984465b1c6cc62abcf00097ae71460b50cfbb19696b9c16438b6bb419134f826fa8afc66

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
36KB

MD5
77ae8f9df803ab90d4e0d5d8e115f0c4

SHA1
e5dd72978aa04f811e87e8a7c3427f3271f07ae0

SHA256
c4889c28650f163580549112312144428da393d628d6cfb2b4ac87f2f1742312

SHA512
7f277150d05029301206c5723e832a49a67a0f98654a15c3c22a0c97b30ec84860eab438e6f57c1938c40929cbd91032d7a1c725881a1a2e4c5746c66549b1b3

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
39KB

MD5
a61766d60410bb7155ea6f6e17e35ef2

SHA1
1da08609a746b805f22109272e46df22c49424f9

SHA256
b09b6291f95259d14da2898ced245157067e5bbc706cb5a9d75315a4b44c5108

SHA512
8e9809620042b9e0b97e5161d6f3cef4c71e5de05edb5db6f12aa89a7ccb6f57b8f3fb0cce39990fefec40f5beafd3934392fa6969420b84709d2ae237be5068

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
39KB

MD5
9e5727e1bce52e9214f7304fa9eccf57

SHA1
4a6dab39ff39e45eb6ac35338c502841c0bcecbf

SHA256
59cd178f4281383748f21b5a838806dc258026d245f202a0efccab1aae579dad

SHA512
6ea625dde33987faf499c348a5bf9abd83f192795f493e9d0615be75ec2ca954a88bfb10120d0613eac8a5453b956421c94a7aee84b5157f31ea4c60468dba8d

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
39KB

MD5
9547a3784cf818dd35542550eec99ec2

SHA1
230e5fd8b88c55d0ef91316ba1248a607e3e5f69

SHA256
89f2dddd7c218142b16be2d67d9e26d5261aa2de36c12ffb9decce0e38ec5f93

SHA512
ca05a8d4b2eaa5b7e92d9c65956d60683e295257c9b72afddff66cf6f365199d8a9a8929acbac4c727c9a82504be66aedb9400c4350c3d3c682291ce44608fe7

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
39KB

MD5
ca2de2b2f28f1f620917397add263a93

SHA1
a1b7c1b953bcb4a0f60f8ee6fc790a98dd665266

SHA256
54486071a84fa3a5b66387828c9204ee6ef44843a0de6660fd442e2e02694158

SHA512
10865bdeb375bfae92407db72fab03aa8baf74c1f6a6f789709c7cebff3afde98b2c8fbdf846cd455fb376ea691f96538c36f61a2856f3510036b4868f90aa53

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
42KB

MD5
5a9cdaddd649925543130d76b8863a1c

SHA1
1116866bc6b79be245143f05d702b4041961fe83

SHA256
d47d5453eaed54fd303a43d8ed5445cf469716bd6769087c2e2dc5d929b12d7b

SHA512
8c0227b8a7cc0093d28bfdb44e64a6484d342fce64447f24509010d328171b384479cfd460573ed9617066248902b978a670009ddfea5fca15687e528ce0e97e

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
42KB

MD5
81cd5c137e2b073de8e21f7ac20b60ac

SHA1
b5945b65c642ad121d5f5a3e55ef808b5d44b5af

SHA256
e07bbb147635f72b4acff86a5454ae2685f69c6caa0b9f4a4c47ae4ce88b14db

SHA512
7c6ec5fed298dca84bdd4462e0f6ed4211cb93a2aafa24839110f3d6683989762c52cdaac9ad9fc5f578707a4b920d38f7dfd4949cee66a1094a572aab17ec15

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
42KB

MD5
80eec09324355a023c5b8ee84b54edbc

SHA1
bdbff4da1109a7a2a8a557cf27761d87567dfe22

SHA256
300fed26c414ffa7bbb8d3f93f0dad82c902be094a5713d58728bd07ea72ed2a

SHA512
b75efb6ccf7f1c68e1f61a36eeb559cc6a9b47354794c1ede3323a750d77ae47b3996bd7b7e2ce26f416b93cc423a82ef8aace10a956e6925ba4617f36f1c32e

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
3KB

MD5
4fac2f25f0287f173cc244c5c5c2f2c4

SHA1
63b92d73632663c5e73e0e4dea81c15d63f651e4

SHA256
415f56f3ff021bd86ef0760cf55eec98a70ec11894b544e5d3271bde8fae41f8

SHA512
69c5de4cb3d9829ea8753163c77917ac341ed69460607d977f9f949a25c7da6ce57f1e47e56e0e63492de239365c3bdbe85f6bc093d2b660a9b047e542943dc6

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
4KB

MD5
b86a05eb21fe8e19e2e46e69d00abefa

SHA1
2e62530458076a65072157c499a3d8ff3b85295e

SHA256
cc1d748513b488f2675d4f03c6d005ac10b02a367cfc19eb04a5029db4032692

SHA512
00124020c00c242a339ea02900552ea17e0d3f64e160ed5fc697e71d53d49efe9b71c4e561def70e30d6ee51362c59ae0ea4b968f90ef43dd315acee17f15c35

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
4KB

MD5
8efe080b7db7680d9e5685cf77751bd7

SHA1
b2340eae94b40c4a1c3b52397ecbc1e3e2922f7e

SHA256
bab0e2423796985513d57e63ccc3a0f39198c7b1b13e126c7fbe55ffe5be7ade

SHA512
7b32cc4283b72f3d19e4b4578ffc8b6abdf024e068f4a2d433af5da683615c6748db56406c50127d650365a5f7aa0b997de1982ab9bb2cff5c83264a3dbcef3b

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
6KB

MD5
1eceed55f2f106a990ddf3fe896b7c63

SHA1
14612e32f90cd254d08e5809f6d22122525b2f94

SHA256
7a8d72372fd17f058a77ce3c5e66b96222cd48ec2b250200a266188ec45767bf

SHA512
045b07d970038bd992fdb902b88d8570ada335dc43ff322504e378904149f127a629ec794214e6a96668b00723462aac7f72b6c4df8a0213a178fa89781a3af4

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
6KB

MD5
8b6c0049957ffd3711fc5ea4a54279e5

SHA1
79d4edc0fabfb108508a03a630eea96076ec8ea1

SHA256
715fa7cb7a4c1d64c6fe049e3d6e4d0c61eaacd35025d10aaf33e7a83ad4c990

SHA512
959d3701f9ad6578d9834cf6c580ccc35412f23b65ebf1bc5b42c9174d7f67fc4b7b08bca0db1647dbd30ae31cf487828f01303140954e3a8b1a5a40e066a656

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
7KB

MD5
fba3557d6e0697079a9df43096e99930

SHA1
03d8b463ae2ff5cf8ecacddbeacbd1a33c2126ba

SHA256
9ebaeb68aa197d6c64e01e4535ab6c58ddc463ee873fd085475835292d1c7d3e

SHA512
97c61961d4a95656cbb406e08971b5c97eff9707a18cb2f9f46beaf4278b0044d8019e2634e04a6e19908c5081a1542fde63f816d93b3a9f7f789b17b43a8e0c

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
7KB

MD5
983d59219bed7397dc8c5eeeea6dc6b5

SHA1
3fb178e215d62ab717b6c9ce077f5dd2e806db0e

SHA256
8b3a44074cafa2f6eeea9280bb5a05a048ef256569c20321e75e314cf25a6fc9

SHA512
2f114cb94b33807c14008853830331d309cd4c1a8a8e5be46d66bbfbc090bc418975a0a996505fcab8444cb20128c86f7b23a5a417b1c2c1d5b4b9c62862ce99

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
9KB

MD5
4dba660bb76a1ca161a6c454974e290a

SHA1
5c0820b67be982c1f9d821e8688395dbcbc49f46

SHA256
2025fc07a6644a1cfdd93460c4f6928384773178b2eb60e55019580db64ae866

SHA512
7bb0fbd70ebbaabcb6839686796c87058428d3b429d98850e8a215515e54b39efd705444b35b35b88521b4a709894c2cb86fdba2d98d454a58ad9ab78b358068

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
10KB

MD5
d125e187b1da2cebc75ba9e061b6c9a5

SHA1
9af09210747ff1cea74da6c06d797fcbd5bd5110

SHA256
e9b06171801798ef2175edcd0a5716078bcc1ae2803eeb093a92f8871354a800

SHA512
374fcf9cce03ee3475dd24b5911327ec86192be25c3256decb4dbce61fc47d32fa76cc294a916cde7613b08f1c9e002d14c9af0a4f4fc72f21fea3b5e4c330e6

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
10KB

MD5
d1f2229ab697654691aed93df1d43583

SHA1
7bf8ffaf787fee44d5bb1ebd4d52313c6cb46ccf

SHA256
ce941724876b54ba743dc87e17c8e7272126edd7f01a924f8eb01ec9e4631cc9

SHA512
d8f7fc2d09e8ad080395562286aafc140878209e73b9cdce47863c28d4c38848583ade3772712c7ff98109a4ba2b4dad0026dce48946d98cd8e505522c765d48

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
10KB

MD5
4a09a7fb1c19f2bd548cb3aac43b56dd

SHA1
d471b254183a6aff6a41721c85ebb5bc1a5a264b

SHA256
03fc859d87c74a9a43dfdf5b13bdfc19ca3efc12b0a5d41b9f90b5e21cec621d

SHA512
8aa2e90578fd92810816a4181e4c683e51cc526f7e3069db0e842132278ade1763f417c2d7ad11acd92f24265888510c0fb9eb4baf31b89b42f857b5df0dc9f6

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
13KB

MD5
21287c4a719c1564482e9d91940bb9a7

SHA1
19735356e6434f34e5f4ef4e74967be2cb0ccf24

SHA256
bac9a7023eea2683657b4d7d22a8bb9137b58a704c0aa699f45123bb620a575b

SHA512
683413b888c5c310ad5a7d43d95eddc39bb386318990f2e834eb6bdbde84af2c0a1cd4e22eed1617daa40cab2fdff59b355d18b29d29a66e01bfee378364bff3

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
13KB

MD5
c1bed85ad77a0c458e2d69a8305f94a1

SHA1
6b8c628a31155cbec940871a1b21e26ba7ec6a5c

SHA256
ad5cfd6763c4afa4549ada6bea710398dfa6dde28cb4326681baa20dfe5a76b6

SHA512
3f5c4a71b0123581bf2cf1803c99f8af21a7a64c065b7b11a3d4f9f32fc08d6391894222cf2cfa6471c8f856626622d09e9cc2c1ab39b369333e864a479d09db

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
13KB

MD5
f7f59d2760ac8ba6e10168296a24a647

SHA1
b9e1c41ecd0f2eb30878ef1ad2ffe5ba413c7f5a

SHA256
27635cfdbb4480de01f5255b4c05fde37fd2d53f9293d882105877fcdf293bdd

SHA512
4b60305ea23dc8002860e8c3c23bb522f87076450cc525c836a4f120e85a50a7e232edbd05d7f7f1c220f99d08146431e6a9c2bef9de23d3fe0e63374f56dc27

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
13KB

MD5
adb57c94fd9efb37bb1e97d7dc7897db

SHA1
fd951ea21ec989fd5c3814d5c24998ac8f973e66

SHA256
7dd4da97b47a2d204a5c21b5da41548499b3b22d0eb7c86316e80924cfba0cd7

SHA512
f6cf7402d84dd83ab7d2ae0e24d4ea5e0cdc16520a59444df681dc028802cce3ffa8190c2783fb5039c1489b39a83e48480110e9d32e3ed9d464649aa4b5a203

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
16KB

MD5
d355394e6bd43fb42ccf76fbf8847ec1

SHA1
a8443aba311c3a65a3433ae4cf69c7a9ef9bc75f

SHA256
b0f62bdc7717ef758aa07004bcdcb03f1502d8225e74cab4d4acb41fa7840f0d

SHA512
6ab1f8ce3d07142397b1a5bce8f91143f1c5af22de0679e4bda709827bf4cc17a9b8120fba565de50610638373f8b88c79114e8f0df83c600bb62b8bccc3c9df

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
16KB

MD5
baf1f7378e9a0f1d549119823d9bb3b8

SHA1
06eecc60a1e9e3e9ac8374dfbbbc857fd7322a1b

SHA256
bab9d79acbfe591d800bae9d85174b133962cf0ca81280bc44ec2fb50d726542

SHA512
7024be4c935be9e47dea34e03ec39028a8fdb3164a8bad1fe95bc625e8e68b1444d7d7631c4b0bd9ca1739b776eb4f0c4379ab719e9e91fc3fb707481b06ce7f

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
16KB

MD5
bb1546c95678998b770c7f811b9efb46

SHA1
c76679d1b4fcdc5dfa705157133a343ff871b228

SHA256
469a46c7c35c2dbd67624f05c09b86cc88578e6a26c7182bc6243f0c96846cb1

SHA512
62f73d65c29dde84dcf85ed37d82fbed4165e2192c0055c355ee0dafa4864ab4c6fbb602d5be5e6cd23dae5bbba5c09f4825f93bda7f0c9a49a4b89c60f7a57e

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
16KB

MD5
b422d81df0e371e114438286637b8e45

SHA1
78d9026b7a11eb43d7836a51c6df88b93ab06436

SHA256
5e7a6468841d999c9dbafc2f18d950f7872494409747c3a433d8ad26a33113ce

SHA512
58e8642b77734bf556bc45c3c50773d15cba8241d986abbfbee4a7f4d33f8c62c2b5cc60a244fdba268ad10c5e665799faf7aa01d4a9f26ec517e644fcacf731

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
18KB

MD5
a986f3f726f28b8a5688c711f72f3d1a

SHA1
ba95b31fcfb6d1bb1841dd0552a06d2834ceafbd

SHA256
f609514e586408ea0f996f5e9f64bcab7c518483a4d03d299891918b1f4b8539

SHA512
cb8b2bf7fe6b7d51e8fbca2662466b574133ff861c26121855a70402d5b2812c04df7109c049e41f616f4f2254d0a2a09f2332f71bd3411f5d32e23ce0cce188

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
19KB

MD5
19e21ce84c70947f51b6f240464f6505

SHA1
db4d435e6994d742c7856f1efe45775cb15b4679

SHA256
c2191450832f422efc35bdee80b5a40e3fd697b9f82078acc71a926b294dc300

SHA512
f67c19517cfa36789b06da084f64ce7042fda0a8d98580807243e11f6319503ae54807f06e882aae72cc9b0af6bf3bcefbe1bdb9f3a3746635502bd53898c017

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
19KB

MD5
357415ee20bbb0fd09465b46d36b9129

SHA1
c0128f38e0934bc86f75913f82da94e9b8d0bef0

SHA256
33663269c5bf820a5a29fb989b5df2839659c012b7651e37541e3bbbee8a73ce

SHA512
c9cb2021cbaf5b1c5c1add70f4b1862bf6d0611284289c2baf63d963b391dac62207dc3ce4fd4372c8e2774a69642e7c97b2b0eb3c70b304af81191b7fa08b68

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
19KB

MD5
fbde23ba344d2f75527009ce22c6fd24

SHA1
1ae4734d53a1b7849c0c7b5ce78fc44b9b149d7b

SHA256
3a7a9453c65f2f51a5df7f564a240d913aff62eadc895ddd4382b29df6a9a316

SHA512
606f856791a7e365d34c95d05c79a73573b7de7256db1390126b10d44122beb3ef58e7fd6da9b45d03f2890155ba7c30190aabb34feb339694cf43f67c8c6f0a

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
21KB

MD5
f8dd96adf9cd9f9f7d8f6acdf1e5e906

SHA1
ef37e73d32fc8b2ad22b1e7c87ec2f533b0130df

SHA256
eb14bc9253714bd99d13b90065491bd376abd08fabdabbfc7bf290d7eee68bd9

SHA512
4ed3ef47f9ba3d534e79056c29d93da15951f3309f5b2c8ed76139a3cb4dce3194c76fbde6dfab02ecb3305b7c1147cece73735d218869c21ea2c78f0c3a00d3

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
21KB

MD5
cf45515c4639340d82956446c6762916

SHA1
8fe41c17c9d2ce374652f4b9949d2d51af608f42

SHA256
2bd8b7cdba00cbcb9c339d33888fa6bc2cdf9fc26b03ee7a2f3da71abca0cf25

SHA512
9ffa194bbd5f51ebbdf6ab3b2e0c2a143fb8186c2a4712ffc46033c5929ff6f5d59e079d90ee179b489e008a0daf8fc085d66bced1ad5082c19540816a436598

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
24KB

MD5
d27b5c551b79029727e1a22dacbac5dd

SHA1
7b5d5e984878ab7a28e2fb31e9ed9857d1354a92

SHA256
f52dfd89aa10b3a61b7cb2f95b2f2bf69963ae3aa24ab3ad42587829c61241dd

SHA512
7b57632d2f3b7a14a1dcca1c4aa6735747968472fbec23192cef0d3017d5581747b8dc55d746b94a1197250c8361d4c2dd803c4682af11d46b0b331cb0bde7f8

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
24KB

MD5
3e7ce9a2491e4fd9c980071fae7ffff0

SHA1
ac746def55f21faddf131b76fb37932068dad41c

SHA256
369a68aedfbe1db1d53ac580a711cf3063de3f1ddf40db169a198a5491403642

SHA512
098c6cb42f7c41f8eaac73f88add0ab7712719446fcb2da984a559116d92af392e85e0c67803903bdb1bd1c5c9a6e366e8124bc2893fefe71711ef6753a6c2e6

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
24KB

MD5
8919107a7cfbd8d8db0cae88bbadba16

SHA1
ec47cae1a45a7578de454ae86dc78cb5167043e9

SHA256
ce3a6cfd7abe02f3f66ceac8fbd474a77429941aecb986880587b49a3d0b58dd

SHA512
13eea0923021e463c0cf2865f91190fec0b5f795a7299f25295ed7689ab9520210f56f940f107e7bb598e6d9035d13f97b8ae98304961f040eb0256c244b1090

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
24KB

MD5
b6854ace1ff0eb98627d3291de564722

SHA1
9fa047dd68ebf9ee8991fe24c0e109903226a90d

SHA256
26b9bd60c2aa2fdde7cd9c2f6476e01f04f1a4f3399b59a08962b31bf8c46bff

SHA512
8a52d34f41819bcbfa9bfd902fd40d40cc6557d45173be127f6417d486d835fdf95f68b684c33d3a8d4b6f7b579895c8dac1055567dfb8869f59ad812609d029

Download Submit
C:\Windows\LMI428D.tmp\rescue.log

Filesize
27KB

MD5
892ea8ef8104396ff678c8a794e54782

SHA1
a3ad14682ab5c6d35141a2dbc67707b8ad78165d

SHA256
e5dfdb4615db82c13fadf6e6338c1526582b56db0e2ca9c636723ee84f5e78db

SHA512
45193928a652f726ef11f70a9846eab8e26245cb6612524ca596ea49b79b62f6fa070bd053a20650a35d916593bbd141b8783b8f649132b9cd560ce3db3f1d09

Download Submit
\Windows\LMI428D.tmp\lmi_rescue.exe

Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
\Windows\LMI428D.tmp\rahook.dll

Filesize
173KB

MD5
a74e732e69462a88ab84963abe26e055

SHA1
67ed07198a8d95e10e4e2c1c31f065c229d62e7b

SHA256
d079268ff103765a4fdab0e4ad44f1b6b5fe00d1aad9931eef63fd682818396f

SHA512
fed6cea867b41c5a0ffc875b7b80dc2b5ce9f15b4fbefc2d7d3ff03f7f5f0278c4c933f0a2e26c9938b9426aff9763300be143f2fde42a9533c93b797aca7927

Download Submit
memory/980-57-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download