a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d

Analysis

max time kernel
141s
max time network
175s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 06:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe
Size

1.1MB
MD5

1b80115edb1d42d3af249918c38f2102
SHA1

2f9b16c0faa5ac2bd95daa7a542e8aa631a44de8
SHA256

a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d
SHA512

af0438d0851257eac162edb82a34db08ecb26a8761bd54e18f28ac89a1648fd6f9b652a270982c1c007e6ac01657b05349ca49e279938a36651f2aaa07e7cddc
SSDEEP

24576:pSPatCg7EPimZppQtJunSwtHNBBlIRtG/Z1CqlL:3tV7EPimVlnSw5IRE3CEL

Score

8^/10

bootkit evasion persistence trojan upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
956	lmi_rescue.exe
276	lmi_rescue.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000126bd-66.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1348	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe
956	lmi_rescue.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	lmi_rescue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1918073755 = "\"C:\\Windows\\LMI780E.tmp\\lmi_rescue.exe\" -runonce reboot"	lmi_rescue.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmi_rescue.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmi_rescue.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lmi_rescue.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	lmi_rescue.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\LMI780E.tmp\params.txt	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe
File created	C:\Windows\LMI780E.tmp\script\BlackOpsFix.bat	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe
File created	C:\Windows\LMI780E.tmp\script\CertInstall.exe	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe
File opened for modification	C:\Windows\LMI780E.tmp\rescue.log	lmi_rescue.exe
File created	C:\Windows\LMI780E.tmp\ra64app.exe	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe
File created	C:\Windows\LMI780E.tmp\rahook.dll	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe
File created	C:\Windows\LMI780E.tmp\logo.bmp	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe
File created	C:\Windows\LMI780E.tmp\rescue.ico	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe
File opened for modification	C:\Windows\LMI780E.tmp\params.txt	lmi_rescue.exe
File opened for modification	C:\Windows\LMI780E.tmp\rescue.log	lmi_rescue.exe
File created	C:\Windows\LMI780E.tmp\lmi_rescue.exe	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
1616	bcdedit.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	lmi_rescue.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	lmi_rescue.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	lmi_rescue.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	lmi_rescue.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	lmi_rescue.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS\ = "0"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\ProxyStubClsid32	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "C:\\Windows\\LMI780E.tmp\\LMI_Rescue.exe"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR\ = "C:\\Windows\\LMI780E.tmp"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\ = "IRescueSvc"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\ = "Rescue Com library"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\RunAs = "Interactive User"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "LMI_Rescue.exe"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32\ = "C:\\Windows\\LMI780E.tmp\\lmi_rescue.exe"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\TypeLib	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LMI_Rescue.exe"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LogMeIn Rescue GUI"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "C:\\Windows\\LMI780E.tmp\\LMI_Rescue.exe"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32 = "LMI_Rescue.exe"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\ProxyStubClsid	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	lmi_rescue.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
956	lmi_rescue.exe
276	lmi_rescue.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
956	lmi_rescue.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 956	1348	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe	28
PID 1348 wrote to memory of 956	1348	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe	28
PID 1348 wrote to memory of 956	1348	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe	28
PID 1348 wrote to memory of 956	1348	a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe	28
PID 276 wrote to memory of 1616	276	lmi_rescue.exe	30
PID 276 wrote to memory of 1616	276	lmi_rescue.exe	30
PID 276 wrote to memory of 1616	276	lmi_rescue.exe	30
PID 276 wrote to memory of 1616	276	lmi_rescue.exe	30

C:\Users\Admin\AppData\Local\Temp\a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe
"C:\Users\Admin\AppData\Local\Temp\a3b2fca72d8a599b526436774eb796bdabd92ad99bc06b249978f82d8da3dc2d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\LMI780E.tmp\lmi_rescue.exe
  "C:\Windows\LMI780E.tmp\lmi_rescue.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:956

C:\Windows\LMI780E.tmp\lmi_rescue.exe
"C:\Windows\LMI780E.tmp\lmi_rescue.exe" -service -sid 4c1102c4-70bc-46a2-9800-fcf3e02b5d1a
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:276
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe /deletevalue safeboot
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LMI780E.tmp\lmi_rescue.exe

Filesize
1.6MB

MD5
091181b2f29c1c7c510b291ad908bc23

SHA1
aacb448cea0e6771dbda08fe78aac2d62e977d40

SHA256
91af7d382914b63229db2e6b3eabe0980af94fb7e22931c09a949c437e45bb75

SHA512
e0d2f60d34811b32c37ffdc8f3e4490e5c6daa7cda3c829a5e21913573e46e8ab0c40dd0406ae8a527f40505b39fcf22c871716193a02162c7686fd5bef093ab

Download Submit
C:\Windows\LMI780E.tmp\lmi_rescue.exe

Filesize
1.6MB

MD5
091181b2f29c1c7c510b291ad908bc23

SHA1
aacb448cea0e6771dbda08fe78aac2d62e977d40

SHA256
91af7d382914b63229db2e6b3eabe0980af94fb7e22931c09a949c437e45bb75

SHA512
e0d2f60d34811b32c37ffdc8f3e4490e5c6daa7cda3c829a5e21913573e46e8ab0c40dd0406ae8a527f40505b39fcf22c871716193a02162c7686fd5bef093ab

Download Submit
C:\Windows\LMI780E.tmp\lmi_rescue.exe

Filesize
1.6MB

MD5
091181b2f29c1c7c510b291ad908bc23

SHA1
aacb448cea0e6771dbda08fe78aac2d62e977d40

SHA256
91af7d382914b63229db2e6b3eabe0980af94fb7e22931c09a949c437e45bb75

SHA512
e0d2f60d34811b32c37ffdc8f3e4490e5c6daa7cda3c829a5e21913573e46e8ab0c40dd0406ae8a527f40505b39fcf22c871716193a02162c7686fd5bef093ab

Download Submit
C:\Windows\LMI780E.tmp\logo.bmp

Filesize
7KB

MD5
4925bc92dac27cf1f12c26cf72002820

SHA1
14d36e8eb66ce3704cf347657adac7fc460178a6

SHA256
af1d81679b00a6c34b9c95d6919fa70d6d6d8ad2e6df3a466a6cff2a0cba6fc6

SHA512
d119d557afce5f5117877f404e3ed32d451148bfac03f46296c70b0f34eff7a55724555f9b1edd76d202b43eafcc74568ffdedd6e60cef07491d7afb603a19c9

Download Submit
C:\Windows\LMI780E.tmp\params.txt

Filesize
210B

MD5
5e7b8fe274e020862c25c434d77bb9ab

SHA1
a7b8a34a432bc79bbce6570062869ea8e6335b76

SHA256
c599225b3ca8658a3684a63ddfb9b806fb61acefccd1771cb696c6f95c7e0f11

SHA512
9a4cd68fabf454b2e57e83bd515e9863622d63ad088092ffe378bf91e7afba987f63da445225e331328e6aa3ca624ec042157cefde5dba28f12abb1687bfdc45

Download Submit
C:\Windows\LMI780E.tmp\params.txt

Filesize
260B

MD5
536df5c1d5d166fee483a508c1c87162

SHA1
3c19d4fc32bb92493ef45af36a25037ddeda3b45

SHA256
d2a1c90387a4b2a0a527a41901fe64b190a19ef2be13900a400a1c57d0cf0713

SHA512
9019fc79ebd07e360188d4d2287ef11d505d08743b07644f7d3a97e86615591666a6fdf573a729f08d31f96a85c34e20140368f904bb1c853885c19543812a3f

Download Submit
C:\Windows\LMI780E.tmp\ra64app.exe

Filesize
79KB

MD5
82a517bda8e737c70b078859ebd11e40

SHA1
2bcf82fdad9f6ef9c4f4bafe069f8fa18bfd3642

SHA256
839cde75f90803433f39f65be7ac0c00b2fa9000aecee2cfe2248e0dff5837b9

SHA512
9e2ffc67dee0e4fa22fe0347e63c837113c110912b74aff3f4753d86aa9bd2d264af3fb0dafa830b77245803b340c67fcc725ef5d77779955aa631a1d7274980

Download Submit
C:\Windows\LMI780E.tmp\rahook.dll

Filesize
173KB

MD5
d93540d74f0c59ac67e4daa085d38cbc

SHA1
904921f4521058eab2dfa3041d5393f8b069f4cc

SHA256
af1513934a0465c146ccbb652e6cae92071c7ebaa96ab2717b6e6d011b1cbb6f

SHA512
40277ec4bf526c1d7e7a229e040ca2e8abdba43ff6b5c38c947bf50302690df1d3742fb3faa608fad512f839b4170de69c03221f1d14a6620b9ebb089de68fff

Download Submit
C:\Windows\LMI780E.tmp\rescue.ico

Filesize
26KB

MD5
44c467431645211826be658ec9cac3eb

SHA1
7f7a5f6494c732112853bdb36769bf244d326172

SHA256
352025ff485b977ebd850a25cac67859d7fbf98562f9a7720b0a25efc20f8017

SHA512
02ab69bbf9478c3671ad17c06e35d43f0e6158b4b21a42425fd9bd839f59f115901bf3721d46ba176023e40242a7b2887a19992e0eec9b414728b3b4c7160a02

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
26KB

MD5
df2389139004e63092eb7e503781e7fa

SHA1
699c76b51c2d166b53d20e27baa3b9abb9721f9e

SHA256
e77e89e05f97adbc7aa2f396c250521b568332d9e3ec946e28be614b2be2d19b

SHA512
40cae16a7afe870a86d411aa12ec870d0aea0904edc8f0e47415eb58ec3099cb1bf1a58065658dbc122325c0c337498b206bcd491ed6327b91c205ad922cc148

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
26KB

MD5
969a851507fc392a4ad4f55447c2eb1b

SHA1
b9a2f3c5ba65de5704242a0bd8d9df6a9476fdb1

SHA256
b5c005cf07df25bd7e64d928728ec61d2e1655e6b7ddbd37dac4697568ef4fc3

SHA512
21b03ad4f48b72e1f87c4ad1ed47e55b9a28df75c8772db65f0fac1525cd7885fa61840510f57d456a39ddb32b78314f40964139127bf5c501214c23ae6264a5

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
28KB

MD5
1a4ff2e0d1fb12423aaca9ab5af8e96b

SHA1
0c0e01d52040483c99f3b13ad3006877bc640bc7

SHA256
46eeaa4c62a17f65e1d2895581af6de5fa2ed330a2e66850e0fb86362b02cdc3

SHA512
71da4a8ef55eeaa16ba4562a9d046d208b8f066bf64483da821707df6f8e730edd700c322dd85ece049d9546d65c87d70284fe3330d4818cb0d7e98d93ed2459

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
28KB

MD5
2710e0508cf90fdecaf9388d10dcdd06

SHA1
f392ad585c9f1bd51f91f15d75fa4e6a7776ec3c

SHA256
b930d7d387a0a8d27af85e2cad2f4e886bf4181ac39b50eb4f7a78b32bfd251f

SHA512
0decfd0fcded24befb621bccf6d2b1398f5b899fa00566136103c809d706dd3626c3843a21313be09bffda702a135e04f5f2aead18d5827721271ceedddcd410

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
29KB

MD5
576de4ef23edd30b9d5b409349bc0a68

SHA1
fd06c41377a712ade14be00eafecd68949e1b48e

SHA256
058ab9a50ce43f9a1f84c1143c7a5a5b07704cf8969f8fff614faf2a97f78d41

SHA512
e6447dcfc01f5e2fd33c3a40fa1baa7c0345443db63a33b75bf443db2b5cbfb756ea5f5cf239c82f6d4afa46f7dfddfbb0e236ee537a748b89ece22567d59990

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
29KB

MD5
fe995615ee113166c442d0a54904bd6d

SHA1
9bacca98087f176535a0412baf85d502f3623455

SHA256
eaea2e5cf6a3fc581552fa1a1bc81da5254b133f1b82483bdc97c2d6f263b52f

SHA512
6dc4a45742ec33fbc35580f6ec83cb9eea0137b83278c431104afe0b4be4012bc3aa32e3499add5861c3894276e74d766b22ac69a7ad14d08b23d17e517810cf

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
32KB

MD5
59aa050d65538c186902c1772eba5585

SHA1
9b81d36ff27c9608d377306ec781037ed76b24a6

SHA256
84bb7d754b93c357c5c01b92608c8e2319fb7afb07ce9d4c4fdb066b060e5368

SHA512
4b306e905b643c92099dc55101bd75c743a6674c9c8b41f256ea29ab9b0cb9dad4082a370de784087dbd9e03709e080b9b39a30b3e5c9ca90051968b38031487

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
2KB

MD5
d53ed348b9f32629e0fc36762dea023b

SHA1
dc126a043d3dfa96063bb001a3da9c2337811414

SHA256
631b8b938431aed584a2a1032f369f2948f0efb58d1c049789a6cadef2aab9a4

SHA512
c8964b44c2213251be62a52902e87ea028b5c54653435ed9bfdc091ca06645600677aef002371ba91f20ad1b0e1d46129326b79e42ad0306ce11b1ffadbe481a

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
4KB

MD5
9b7567b08e5f199880dc219cc0c78e7f

SHA1
541e6bc967788f6156b43efb2f7b9fbd17657626

SHA256
1aa00acd5853dcf763a108925257dc6623d0751a79384d8769f658a8947df9e8

SHA512
df6c2dad6b3383e23e96c3961aa4a4380246d0841b912dce81486e7e70e16cd69e900f49c5edcbc3976c17f430793763bdc9a761667b0b2228253433ad70dcad

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
4KB

MD5
2f5edebf54ca50680066c23d66f977e6

SHA1
38efa851081e9adc35dd8fbac6c4c2985220e259

SHA256
792d68c63cdb057a7c2e0064867a2c6b76cb5b6d4234f2b19fe113a8a7cc2dca

SHA512
74a3b27442d849f6cdb71dbf15911eb6a118a524a2b1e712d452d8b773167739b828d1fa1aaac7d197e6ccaed23d89b3069cf6484431e55d283845a59f895185

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
5KB

MD5
a894a2e6322fc1aff2357db706f8523a

SHA1
29ac4ad39f2e4bb44bb6655c468add9788d2b223

SHA256
d4a322ed29de74c8e93c55fc9d69987cb624b1715c41d52399cc8019dcd68975

SHA512
4af4e5a6159f6c281be6ae852e08c4163eb21fff5d9d1fb47df8997620b36963038a46882b7621be36fe60c62ed7127c3446e20695f183f0392d399a5e5173af

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
6KB

MD5
15fe04490acf95e777b00d6d8ac3fac4

SHA1
e6eb606ebd6cbf86c8c15050017c225fb90c6a3f

SHA256
8d96bd993c2e9fd29bee912c51eb356cdc737cd1519e620537f5e1cbbc447511

SHA512
c46fec18070cdfc5a7740030e6fc2bd431db63df2134fde95180ddb214fdf3e37d3002655b1af56509ff6950e985a65e44db19d3b0691a391642307f39cf2108

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
6KB

MD5
6f42b0eb00a842d0176ed794ac6e2f4e

SHA1
e51a6f78f4cb49587ec16c24d330b806e307132f

SHA256
7ac0f5f6371ccbdde8f2b0c0398e5d90b2eaebfed66f82abc0633a292f0b9813

SHA512
14231a37fd357aa9541b71477b16aa49e092ae72a8e5d8773c507f63b65eeb024471eb67b96a9ae2e916fb18da9e63ee10abb5cace696efef3a0d38f45e23bda

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
7KB

MD5
7c7d0d0c76fd2e1cd6d041db3f0a4e36

SHA1
3c1cd9ab95d6e3d25ebb5a8f1bc980d9b5642161

SHA256
3e678e96e4e20ed5efb62925518abba29f0610d0739bd60480d4b2cf375f99f5

SHA512
2696b02e662e6176a8bd9f38320c506a27eacd62926a7fce16628a3a1357dbf29cc68556f05a3821b5224522a5916c9964a469c41c16b845999ac0cbc703e8bc

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
9KB

MD5
ccf4534ae82528e934134f2f3812c309

SHA1
483cb1db83c2fd31133962061745cba207ea51ae

SHA256
5a58771a40cb3517e22090f79c1f687d784d87784ca2b0e7521c7b1197d77e96

SHA512
85df5dfbfec1ace5a2a754059030bf6f36534b10dac878de1bee1749ef66201bbd99ed93b02c9b5111cf4afad677b63ffa2916c8c314c4e2f90f2d79cfd122b9

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
10KB

MD5
d5186ffcebb26f27d416db821e2830dd

SHA1
f1fff814e5554447765a3c42d4cd8dc1fa9742e9

SHA256
1f92fd53ef2b6d0223e28a3019bf94ba1697c5d57a08629a6f14c91e80018be2

SHA512
2708d3025f1ffdd6640e2884c70dd1d89cd86e2e265363b1b28640f23f4e6c95ae1d0dc12d6f03215ba44afb7804c719873b0b42aa21d6867e7015fab0736afa

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
10KB

MD5
ba51b5fd994d9efed089975ce0ee2801

SHA1
04cae03bbfb6a42eeddcb43fda1123797b260e00

SHA256
152d53e290b2c9839881875257b18fdb834a91339b36e7cffb76d1847f2860f9

SHA512
483f8c72314a3fdffe7578e45c942fa52c65ee52cb6efa7a9aeba261a00749dda20d943e3067c8764aeb4ee6251e27a196939fd9879c4f014566eb058dc11a03

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
10KB

MD5
c9769bf5067babe70474fce3888e50cd

SHA1
9a9b2b9f496f8297e489bc25f858fdd32adba310

SHA256
63e3875c8fddb8649ba84ea08c9d22ae27ed9087c21a9f2910d841b36208156c

SHA512
fd021310989745b9eed4f832e06d8b0db87902759f56ab9051fe5c7d19578fc41b715cdbf0cdecddf57c55384f9b96b35b71a0642cf7cadecd483b189f610079

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
13KB

MD5
5c1ed8291340e22c9f5fb1033f031afe

SHA1
04add8095f4bbd656dcb9334cdc623b55fc036a7

SHA256
ccf697830624cc285433b344b76e4c2daf508ebc0e774a85afe1dbc2b0b7b223

SHA512
3c62f94b675009bb581a502a9f7ebd1f4b70176ebfdfeffc9872bdbc86d9783f8b8da21be897a0b53e5dad0923bd6f093734c940e4c8f0f0b24b29799c19252f

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
13KB

MD5
5c27560f066c8be90d277e946493f2e1

SHA1
1560ba3796eda8e2367db17d4c49515d5803f2bf

SHA256
c0e8a520b4b68e8a2e261bf60a32b8edf9984f0a0eb13c7abae2e403041e8867

SHA512
0c7d776fc924a6c5837969c061bf88ca2204ea273fdab354d3ad4062375c0fdb9892960ab5085c40fc6521bcbfc32631f418f5dd88ea163a616700a6d91267e1

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
13KB

MD5
7498c2dc2bc67b0e3311c74cf3943f52

SHA1
ac819551cd8cf46ce8f0e8c4f367d8b9a7e28a26

SHA256
9e713cc08b12f151275da42bcf6e6d8e8ffad2720bf6920c4b0762655c9a77ef

SHA512
513f3409b92282b462494c0366ca299fd878432914154d72c65f6d8ca098a078a5be1fcec0589b5471deeb9acd1d31808c99ea084e592deafaa28c088f6ce295

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
14KB

MD5
b96a6dd943fbf7f9cc312f7a777293bd

SHA1
3285edc793370307670408cdd5be5256c04adf91

SHA256
b920ffdcdd94771c9d92cf6dd80f1f94c114609667faa434f8ba9823d03cc07c

SHA512
503a3af4a494a0df31fe6806f81782ac80b98cb04d3c42db8f24ba5ea0c3ae3e78c1df845c04092ed3ee387c6dcf8c53c858d0eb58fd61c680c6f667d002d5b8

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
16KB

MD5
15efe126878737d99def1c44d039af44

SHA1
9395f314ee4a111c795314c749eefaa2c9b5a943

SHA256
bb048d47ee328e2acd3cf2326ef02ccfa0caa27e2dd40c6c6d9a3be4f7e30024

SHA512
492216469bce9a0dff1149692ae0a1a8d45f4c1cb1d8a7c14f042788ead66150077fbb456c9f02345163ec14f40c2fd5cfc5e104d1b455f7cf25a0e33089aabf

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
16KB

MD5
855c90afacf6782245309bc9e320be1f

SHA1
d32f1523aabba57424f9d39399b00a8e9675259b

SHA256
8e9058a69a9f152f6f0203d40a295e33d18681c41db0d5376a1b46f451248cd0

SHA512
66f1b640684a2519beac21b94c9fbaf87d5d59f98a22fe553ead4e94187da8a2e5c186e4f9fc1460098c735f35201fa6397d1a9cc70febcb16311a54faf730b9

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
16KB

MD5
ff8dc94c902fcd8424e66aea9f2b282d

SHA1
c19e43fc8e2a7000a5d03e79413e1bc9f4017309

SHA256
bf516a1089e6efb669f637cfafc64f5e002806ecb464bf69eb11b557ffb62006

SHA512
7ea1336b1229972f1f716ea37c777ceeb7f9c52ecae5d153b980b98c1151507ed754c4a5e7e36c77ab89dba3700c76a4c0025a7c5a4c8678067139ef2402a945

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
17KB

MD5
e50dbe2e9ed4aaf8ece075503a80c6db

SHA1
22a70d41acdf3445071aea419a9cc5db8a16a5ff

SHA256
00ea838bd4a61ff5c7236ad05c15f33d55baecef5b3c074990d6b164b5fdc0c6

SHA512
f1c0a4a6a845c2314b4db265666eaa36ecea29c559e36e3435969734363489c9c5601001c05e43e2cd40437f3456d3a4022a66cf62d4ff4fc6c8a9694d459818

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
19KB

MD5
1b03414d9033564536baf009f8329b3f

SHA1
9981e3836df742a007fa9706b4724abc8794a55a

SHA256
0abca6d6e81268fa528605996d1d172ce4f0e523e13e69914680a171cd214e64

SHA512
68eac75084794dc6dfe2e56e25cf17c8a23e8c949ef1d88cdaa586940e19d19d92ca09a1a67143325be62ac92b931c3d1b7b5aab452962e4031c961517ba027d

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
19KB

MD5
cd143a4d9fa01b638e60803067c9469d

SHA1
2cf9a003f6219548e0c0816b97f72489a47d3bac

SHA256
8082ae0b5f0890c6d2b3592e861403fc2fa618bcdd0514f8671ffb03a20c0ae2

SHA512
9b92e779175ea1f9901aa7dfa700f21625c3cc99e5637ccdd3988542f609b685d9c19b49452b0dc0035c67c593e8929e53798c37edb6033f18279d67cfe5d8a2

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
19KB

MD5
7f19353ecfd3c10971a4b17962aab003

SHA1
e220ae425b61b5ff82f3cf6878c91adcb5da587f

SHA256
f2e437f2938579802f1b771aaa1f9afb54b33939c757667f6447422fefa76bf8

SHA512
b0fb29b788fa91dd3327a7cf57b812207637e818e32504ecb58cbd120fc9abbb9d0d19fbbd686f7255f0e6b2ef639c3cf52b94b2b23bd41341b53ef5aa74d6b5

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
20KB

MD5
ba9f5fda27eb587d66c0cee490096c28

SHA1
be6f614eeae0496100aa0e57e57b09f156cbd844

SHA256
f0f862d44504cb8427161150f55b7f6bf21a0573b241c8858e0c11822bf559e7

SHA512
9161f6369d1f7fe54ff08ea3e23af10d2d98031634415d862c5fbe7e74a21044d2d42db33bd088c2787df08e5216bcb45f3f1e94ba481911583f632bc92bc86e

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
22KB

MD5
5aedba0b736fc9363326be5b89cf000a

SHA1
600e657a1b42c0321e0aa9a1504335aac0d73864

SHA256
b3bad02f16ef068f837d71dca61412a3a506a723c86457effab2a9efc138ad27

SHA512
d57c7badca2aa4a814a9e35ba2f95be9aa274af208c3c994e324ea369ebad1596f0f82712114d9b2de162f74ce45d3743801273e2ae9b42b0c4f1b4791d499ec

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
22KB

MD5
e24fbd227c5758b406ddacdddec8b523

SHA1
1821fb685fa8d4116c9b8be29deca82afd194a84

SHA256
5797d6310f9a22d9468e755b066806832562c611e5288f09f63d359dc21a39e8

SHA512
c224aaa8b5a44a0babab436d132dd9bbb010c67ac974d7c3b15855d54df287cd199bba0338f17d63acf9b291d4ccaa9613103e2074dffa24895dd70e4066af25

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
23KB

MD5
b16dd1c8a239787d5bededcbff3064c9

SHA1
ced4c5511c9745874f3ebad4c98a203ee135b8b0

SHA256
ffde512398d7ac6395da9c5cf9888125c1a04a5a9f953fc60363a00413e61643

SHA512
a3b8bd55c075206ac985366ebdd034cc0e57dcb328126e72de1f80e278d71b4551c581bd767a09712584be6b07268c645f3ff69a260d862b5c4b819d9feee930

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
23KB

MD5
db708dba2805469b255c41ccf884ac11

SHA1
63405f34a06bc34090a878023164d8841226ae69

SHA256
36b8b2e3b0f5fdfe5eaf016de25aacc4b5d0871142d419f658a6022f53d0079d

SHA512
8d5dc4377677a9e9a6caf6efa80c0cdf1f1a5b2d1cd619cf0ee76408be2f7ab2140abca4077090d0524bb4de998dff8549cd60b07da1b60750a8fcd3e6143b42

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
25KB

MD5
38be908e4438bdf7f969339a61557f6e

SHA1
8ef7f805834bd27e91313e27fe992c904e3875f3

SHA256
bdc08dcc5db4b6a69f6dcf3d17007acaaf80fc3c87fa86e541590f22e4ec0765

SHA512
3cd2ff4d5266303d7ce5f815a61637628cf375d37c7629c0e68dc35bab74cb87033049daae67c7156c852ff7751565d841e888819e8b9c7189384e6957f64363

Download Submit
C:\Windows\LMI780E.tmp\rescue.log

Filesize
25KB

MD5
7fd4bd1689abce5e964f2344c7140a44

SHA1
3a3dcee243e5ea1e5761ccf9013a3278d0463ee2

SHA256
5464019d3058f857187a9bce626cc0008a341d798513e7039c0b64cabd594003

SHA512
51a787ebae97a78d1f9f6fd5661d3fa67f916fc6935eaf609d03d6ba30fa0ae96efaafc8d767186f6997063420a9e2bdec2d79eef44ce57e3624475c9aaafc9d

Download Submit
C:\Windows\LMI780E.tmp\script\BlackOpsFix.bat

Filesize
4B

MD5
f24f62eeb789199b9b2e467df3b1876b

SHA1
de3ac21778e51de199438300e1a9f816c618d33a

SHA256
e596899f114b5162402325dfb31fdaa792fabed718628336cc7a35a24f38eaa9

SHA512
c2636ad578f7b925ee4cf573969d4ec6640de7b0176bf1701adece3a75937dc206ab1b8ee5343341d102c3bed1ec804a5c2a9e1222a7fb53a3cc02da55487329

Download Submit
C:\Windows\LMI780E.tmp\script\CertInstall.exe

Filesize
257KB

MD5
c3d3f45e217447b3ecf0cb8f656a59eb

SHA1
fe8900af8f3000c18b2d60d747166514542c95d4

SHA256
1e4d09a404e3bd8726c788efaeb45a2cc999221db5890bfd1d3940e44ff21d99

SHA512
25818cebc6b3af2065180942dc4b8b0e0efbae88420bee6ee7975c09b0f1a230fb6a504261920ee18be4d7882697ddccbe3ffc6441632938bbff2e0005e1b216

Download Submit
\Windows\LMI780E.tmp\lmi_rescue.exe

Filesize
1.6MB

MD5
091181b2f29c1c7c510b291ad908bc23

SHA1
aacb448cea0e6771dbda08fe78aac2d62e977d40

SHA256
91af7d382914b63229db2e6b3eabe0980af94fb7e22931c09a949c437e45bb75

SHA512
e0d2f60d34811b32c37ffdc8f3e4490e5c6daa7cda3c829a5e21913573e46e8ab0c40dd0406ae8a527f40505b39fcf22c871716193a02162c7686fd5bef093ab

Download Submit
\Windows\LMI780E.tmp\rahook.dll

Filesize
173KB

MD5
d93540d74f0c59ac67e4daa085d38cbc

SHA1
904921f4521058eab2dfa3041d5393f8b069f4cc

SHA256
af1513934a0465c146ccbb652e6cae92071c7ebaa96ab2717b6e6d011b1cbb6f

SHA512
40277ec4bf526c1d7e7a229e040ca2e8abdba43ff6b5c38c947bf50302690df1d3742fb3faa608fad512f839b4170de69c03221f1d14a6620b9ebb089de68fff

Download Submit
memory/956-57-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download