Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-lx6sjsfa74
Target 2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany
SHA256 dd547a0e134225a5b413ebe9fb894cf47a4f2aa72f69083d900086bf7238896c
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dd547a0e134225a5b413ebe9fb894cf47a4f2aa72f69083d900086bf7238896c

Threat Level: Shows suspicious behavior

The file 2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 09:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 09:55

Reported

2024-05-26 09:58

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\LMIGuardianSvc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\LMIGuardianSvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe
PID 2208 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe
PID 2208 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe
PID 2208 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\LMIGuardianSvc.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\LMIGuardianSvc.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\LMIGuardianSvc.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\LMIGuardianSvc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe

"C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe"

C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\LMIGuardianSvc.exe

C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\LMIGuardianSvc /escort 2816 /CUSTOM JoinMe

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.join.me udp
GB 2.22.132.97:443 secure.join.me tcp
US 8.8.8.8:53 alb.voip.join.me udp
US 54.237.12.88:443 alb.voip.join.me tcp

Files

\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.exe

MD5 7a87e7f5002f91e2e6ab0829040183be
SHA1 e988076aa1ca2d6e0318d56beda36e75b9f1c05d
SHA256 75c5b10e30c41bcd5f455b62e8db26b5f0da9bc15d8453769ff096f6d9f7fe14
SHA512 73f9c480c8adb40450e4fbe38b2350c277392b3721164a7d7228594a8bb670f1e818f938f20fd8c7e3f6a4ece4bc28f50d1391edea719a6874ea74a01c80288c

C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\jmlaunchermgr.dll

MD5 8ddeb2c511abea126f9d877b11e39675
SHA1 e7daf1b32f95db2ae043b8ebef2e97f2f3de2ed8
SHA256 3ed491aa892526ee4092fa6c3bd7baf713dedc7a2c9a511d4e6390a146a4ab45
SHA512 ad702279f4990ec07490e29fb95d194af2780fba8ff1fc1f57be4433cd69f8b61a78e62ad45256b418647d3b28825bec201dd0516500a5836e500c492cf933f2

C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\jmsettings.dll

MD5 18ef170348f43c491b91ebaad8f0144c
SHA1 f0d19881843091b230f35b6d5f9fd1b2b8a2f373
SHA256 264b285d96d48ee8e99c946f73ee472d8796a039318726e2683bc9141b99b7ed
SHA512 73723d42e0ec5890c1d02136370486b07296671de6ff770594896064fa2457a577e67db660e32f045d58ec3d063e293b5833d244adb00d736fb10f57307146e2

C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\MediaClientLib.dll

MD5 25c45f5e347142e7616c492d52e1cf9d
SHA1 b349bae558a80129154913878775a99749fb4241
SHA256 99b6997d537dd677683e3edb12446d2db2bd94687c2cbd6766cfb1eefe06a405
SHA512 a25a26b16272f9f3437cbd18938b0e45e73a25e615a624c81a7def6b541921c804163c25d2803fbda460e8f7fc9a6a847ffec3658d3483fd390de8f86980044d

C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\LMIGuardianSvc.exe

MD5 e5bc10fa77e71a0948b9d38632fa2ecc
SHA1 709c19ab35658c556597d18ba71233cf6f6f5f35
SHA256 583522d591ee99459d4094f0df29f48899da77e73e4a35082c8d331e17304fd1
SHA512 6c01ae41273435a81fcf88d2e4a3ce3a3d9b1977764f01db564051f4ba9fc1601ac9682e5d7ae9be54c8c05d5d80a9e52f73957feee86e726e1ba83c7569b2ee

C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\LMIGuardianDll.dll

MD5 aa7ab143962f5fbc52f10f0485c182f5
SHA1 86de4af44a455a2480556d87768b46b51e54dcca
SHA256 29243fcbca0e35d711607b1a02cabda38f15f5fa0809a65294c9909d705f9c31
SHA512 9b632a8b63241ee089b3e81d65b5b3943e7c40b533cfe57ced07cf84730f21c8904d68d7ca6153d296bcebd59fa5fee69cdd0e6ff33d09d8ca22169ce2860817

C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\config.json

MD5 12cbad23d957aa62e524bff967fa7d8e
SHA1 4443d322d2cc9ad299f07f69d5fc2e18276280f6
SHA256 0792ee8d56f1501836ce892d58570e82bb03ceff68aef466f3e3c1b71955617b
SHA512 c1cc9ea0aca722b81b1be946631777787a75fbe374f353cae2ebd0657f8d31dd8232fc558759c60ba5810012e47c7f7b02cac60d6081457c318d024c6ebe11e2

C:\Users\Admin\AppData\Local\Temp\Cab58BC.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar58DF.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\joi1DBE.tmp\join.me.log

MD5 1c5a83366552643d5b56306ccbcffc64
SHA1 73050989d7e56745d747e6a31d311f86e4843ca5
SHA256 8c6dbe61349d24d7d7e1d1f2c715e31a2eb4d32803d19a827fd573e0be098340
SHA512 a0e07cdda04fb12d7210edb52129fd8798ffe902bf51482316d17129e5eace2004ee717c23f8510d4ed7be55fd95addc82373e92cbc357dbc03a352e7c02c109

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 09:55

Reported

2024-05-26 09:58

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\LMIGuardianSvc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\LMIGuardianSvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_9c772fdfec3835b0c3c00a027f1dfcbf_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe

"C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe"

C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\LMIGuardianSvc.exe

C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\LMIGuardianSvc /escort 2760 /CUSTOM JoinMe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 secure.join.me udp
GB 2.22.132.97:443 secure.join.me tcp
US 8.8.8.8:53 alb.voip.join.me udp
US 52.54.13.8:443 alb.voip.join.me tcp
US 8.8.8.8:53 97.132.22.2.in-addr.arpa udp
US 8.8.8.8:53 8.13.54.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\join.me.exe

MD5 7a87e7f5002f91e2e6ab0829040183be
SHA1 e988076aa1ca2d6e0318d56beda36e75b9f1c05d
SHA256 75c5b10e30c41bcd5f455b62e8db26b5f0da9bc15d8453769ff096f6d9f7fe14
SHA512 73f9c480c8adb40450e4fbe38b2350c277392b3721164a7d7228594a8bb670f1e818f938f20fd8c7e3f6a4ece4bc28f50d1391edea719a6874ea74a01c80288c

C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\MediaClientLib.dll

MD5 25c45f5e347142e7616c492d52e1cf9d
SHA1 b349bae558a80129154913878775a99749fb4241
SHA256 99b6997d537dd677683e3edb12446d2db2bd94687c2cbd6766cfb1eefe06a405
SHA512 a25a26b16272f9f3437cbd18938b0e45e73a25e615a624c81a7def6b541921c804163c25d2803fbda460e8f7fc9a6a847ffec3658d3483fd390de8f86980044d

C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\jmlaunchermgr.dll

MD5 8ddeb2c511abea126f9d877b11e39675
SHA1 e7daf1b32f95db2ae043b8ebef2e97f2f3de2ed8
SHA256 3ed491aa892526ee4092fa6c3bd7baf713dedc7a2c9a511d4e6390a146a4ab45
SHA512 ad702279f4990ec07490e29fb95d194af2780fba8ff1fc1f57be4433cd69f8b61a78e62ad45256b418647d3b28825bec201dd0516500a5836e500c492cf933f2

C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\jmsettings.dll

MD5 18ef170348f43c491b91ebaad8f0144c
SHA1 f0d19881843091b230f35b6d5f9fd1b2b8a2f373
SHA256 264b285d96d48ee8e99c946f73ee472d8796a039318726e2683bc9141b99b7ed
SHA512 73723d42e0ec5890c1d02136370486b07296671de6ff770594896064fa2457a577e67db660e32f045d58ec3d063e293b5833d244adb00d736fb10f57307146e2

C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\LMIGuardianSvc.exe

MD5 e5bc10fa77e71a0948b9d38632fa2ecc
SHA1 709c19ab35658c556597d18ba71233cf6f6f5f35
SHA256 583522d591ee99459d4094f0df29f48899da77e73e4a35082c8d331e17304fd1
SHA512 6c01ae41273435a81fcf88d2e4a3ce3a3d9b1977764f01db564051f4ba9fc1601ac9682e5d7ae9be54c8c05d5d80a9e52f73957feee86e726e1ba83c7569b2ee

C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\LMIGuardianDll.dll

MD5 aa7ab143962f5fbc52f10f0485c182f5
SHA1 86de4af44a455a2480556d87768b46b51e54dcca
SHA256 29243fcbca0e35d711607b1a02cabda38f15f5fa0809a65294c9909d705f9c31
SHA512 9b632a8b63241ee089b3e81d65b5b3943e7c40b533cfe57ced07cf84730f21c8904d68d7ca6153d296bcebd59fa5fee69cdd0e6ff33d09d8ca22169ce2860817

C:\Users\Admin\AppData\Local\Temp\joi46AE.tmp\config.json

MD5 12cbad23d957aa62e524bff967fa7d8e
SHA1 4443d322d2cc9ad299f07f69d5fc2e18276280f6
SHA256 0792ee8d56f1501836ce892d58570e82bb03ceff68aef466f3e3c1b71955617b
SHA512 c1cc9ea0aca722b81b1be946631777787a75fbe374f353cae2ebd0657f8d31dd8232fc558759c60ba5810012e47c7f7b02cac60d6081457c318d024c6ebe11e2