Malware Analysis Report

2024-10-18 22:07

Sample ID 240611-tfab1sshmq
Target 2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany
SHA256 24f8b40b7119b9fd58a67a3c8d1ae5594235424f45e0022072112c241cdd0478
Tags
bootkit evasion persistence trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

24f8b40b7119b9fd58a67a3c8d1ae5594235424f45e0022072112c241cdd0478

Threat Level: Shows suspicious behavior

The file 2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit evasion persistence trojan

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Modifies boot configuration data using bcdedit

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 15:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 15:59

Reported

2024-06-11 16:02

Platform

win7-20240220-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_464376102 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_f46df5eb-8fea-4bd4-9b36-ff041179e0a5" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Applications\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\ = "LMI_Rescue_srv.exe" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LMI_Rescue.exe" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LogMeIn Rescue GUI" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\LMI_Rescue.exe" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_f46df5eb-8fea-4bd4-9b36-ff041179e0a5" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\ = "Rescue Com library" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\ = "LogMeIn Rescue Service" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe" -service -sid f46df5eb-8fea-4bd4-9b36-ff041179e0a5

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp

Files

\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

MD5 ce231f194297fa2b56cda3258ec94686
SHA1 b4498461c0f7a8622ce159d578d903df56cb68ae
SHA256 fd1e496e73ad49ad618bd2b15a9fcb580944f00ecec79b096089700048cf0251
SHA512 a5b3b60219c0b0b1702b945784c28831e19c08221e22d0bc06741e969cfa76218e05b055a7783b717004a1b4b7d06fb9743497ed3f1704bca4b026d7e7bf0786

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 4392f8ece3f263a51e18b0038cff0279
SHA1 db75a03fa7afdf2cedd3b3773a192cc7fe86b29d
SHA256 98b296443821140bd8d9ff1f5f59d16794d1307497f0136aa2b52399216043bf
SHA512 db59cffcf0fcd19161acec123b29aa9eab80b145bc4ea3a36a24142675d1a3b285ed00067b95490faa4908e9307b4947aae9b4d33b64e464b442edec7cb508b1

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

MD5 b56450e3b8209039b134827f8a668c7d
SHA1 26f77251e504530addbc4032c3646724d04d0399
SHA256 5a17eaf2a7e1afe2da9e6bcf665fe10e787af87147234e7ae901f1b55d65222c
SHA512 b0d728368f923444e3360188ae899674c9dd2df044829d9706a38fba0e823f87151dbd4763432299248ce69ab9a8aa43843587b00e981cf18170876320cb7d26

memory/1984-35-0x0000000000200000-0x0000000000201000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

MD5 3d79fa32f03540637418f85d19c3ed60
SHA1 ffcb069a0077a840e8a96ee26f0256b0d44426cc
SHA256 6b1a8b887177584b63aeb70c7f6c27eb14dfb0de8a2a9b67996281b1401af9d6
SHA512 545e50bcd539547a90787fda35021e4e5de5d7f59130f35ee8cbe6b3ce67359dd8a307482630382757ddaa31cec53b73b899bbd77312cbae77d6a51dfb86677d

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

MD5 8fd0bc19eae92f5325a5d48af37fa6e9
SHA1 43786e29ca62ea11ca97ab1999238c192566ac8a
SHA256 a174e3ed004811218ca55eaaa2f5121a59c094e1085183cd32665c90c54b7b73
SHA512 3bb3548f6ae674393e8f5e0b95a1914878cca139a37cbf39ec8d3bdf6e85b868ada44356e798b7225bc421c72fed6821b6ffc3dd4cd32efc1e393e34169d580d

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

MD5 7cf6bf74754b4de39943fed761fb837e
SHA1 724593f1c75943274adfa0564192ec2004367aa0
SHA256 4cda059840b0552fa78121576246a3745785ebc845def31253d5af0de98b77a7
SHA512 e3dd723100c5b298fe9605f33be4dc7c22118af6704e10de28d7e774539e3bc4e49907fdcbe84b5e21e3f93d7fbd5c8c79fe536fad8070a8b26c72625fee7599

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\ra64app.exe

MD5 3f62d06452bc7e40dafc6f5cb7a78bd4
SHA1 0200785066d8e1ebeaabf6e7dfa59dd5dc8bf908
SHA256 f3b61319e6892c7754e34f630edbe13878e7cbc89dd32c8dc2efffb81ee3f1e9
SHA512 e35c0cf1e2f78e3e7f2e7f5385ea33716b55154011425017df34a9d474e70cfe7b898205a93b6d7ae648a3852c0fb3a35f99e0fb45a89495646289bd18e485f8

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe.manifest

MD5 05685202d29943a5be58ee16b08baf46
SHA1 c64937267cb2b096fe1304a0ce6f22b473a59df7
SHA256 60e9bec55a6782caeb9f4a0454bdc61f3988cbe99faf31d053771e72556d5573
SHA512 c984d4de4b4def02301b198d8d29ccc66342c7dfe27d6ea4ceb968f57ccacc2abed236945a224ffecdf222b72d12aeca6f9c93d7413f8ba24c7da9d7930f1744

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 a8859a9aa3692a4da0146249a42a0c69
SHA1 84ca1f5c4359ae605c385d20842beaef659dfb11
SHA256 0d7be227fb8f670a1bf8f849d9a8cc59a5fcc1c5fe9b86fce05fbc2be9ea2510
SHA512 f38e6701714b08e5224256a01c1e8eda27fd9155a5fd36d0437fd67c789ae82a1ddc1fb10a24f2eaaa9d9dbf03b7c049de9cbd5cc4b1ff5a32f53db4a8f43431

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.info

MD5 a69b17592fd4494de1c02eb791baa4db
SHA1 f4db792fe9c4a906f6bc49b2f43ffe93be73763c
SHA256 83c7507a6f66c35cfc262f354b15a9565914254ffa77774e337cbc0159cb056c
SHA512 e945b242397e4d9118d4bfca19acf3a8334786c6da6665c1316a9e21d907fd6015a4fe7329bab5ae64a984ece372d41eb08d84fd94ddde655ea0f9ec1a541a65

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 3552ddc34b669285e894f27b54580554
SHA1 23edc05394a6d4aa5d0c015c09681ac8fce086d2
SHA256 534c2ca4c764ac159f2c6974600d9a575ccb5ec152333410936d0709ab37a27f
SHA512 9b42432f69d9ad5ae64b1d24dd0b17feebef29b591559a1999c11a9a5fee28721c1a120985cfeeef2f11022311ad05cd754622fadb57df68040ba991d2e56b2b

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 bd474e227c489dbfa4f0b0c1b19694dd
SHA1 bff0ca258fae8887ebbfad405032965a732fdefc
SHA256 7115719a1445b00b10c5e616defbd6f1ea631616495b13c7c2944dd3f69e8163
SHA512 b39cc8c301de0c4f35b1f336a9b96cb611149ebb24437717c2fe25bf1a0c276ee45cd8952c7f8a726dc065fb25d4d20b5d79963d283a57b9d82d8c70a447e9e5

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 d95993e04d6b5c6a42b9df7a3ebc1512
SHA1 a230420a2bb69035f1fbb0a4e9a9ef4cbdf8b875
SHA256 2e9ec1d02d1a54d819427d1a6f2d7a7ef0cc7dc123a01c1825092186591502a9
SHA512 7819d38ba1d5274564740749851a5cd2582023f5713a6019fdf30be2940fef78a4e91e41448417047f9190f944fec42ddac6489ee1cce70e03c6172fcba1f435

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 26bb8a85c5451bf29c64969b4b4560fd
SHA1 c5d2006d0e43ecb2f9e89feb7756741e7e3a498d
SHA256 5d1180197fbebeb2b5dc21adaa0e56fa5d8f1af8acdabf8bf4c5de4e140088ec
SHA512 e6323abd759adee59aae3e4a499df3d46bed2c1457621640fcaef149ddd660e18d1d011e8517df24025d621e9e8680ce05137111547717117f91097c221fbbed

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 389e47516958155b00c2d4f31116e049
SHA1 1b58cab037fb62d5e392af4142c191cef7127f8b
SHA256 0324098877a1fe84ae1afac62b46fdfcd3e5b2abd37577ab0e0b4e5d6989e13f
SHA512 1dcbfcaa0e6b930310b104abb85778d20bbffc94ae280993f7fa02a8ef8fb59a76a362c8c24c4e5ee11f0c251ca3bc2420456c6e1d441408a933a7e1c7ac8c0f

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 29acb807a8cf1f767cb47dbdb1125103
SHA1 3f203ef5634c04a27407c9a6eb0940d4a5c71ba5
SHA256 364d349f228cbfb42b95b1d6046a7946ecd57bd2489424bc9b33524ea361943c
SHA512 f4d0caa348791f87341687788e80fb76b20c4059c1ef432415e66fe5537241bf21db7000bc786e6d8dcf559c5602edb656db75099873a7d14f3beef257577246

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 71bf63fe14989b7dcb0c0a2cccfffb14
SHA1 b65a7051f373d72f3d96b3f83135336c7686af63
SHA256 96e5be049f0747850733187ecd95d4f3e4923b2a239f624fcea089cd0cd4ed5f
SHA512 cbdb10881e9ebde9d68cd1c8a36a29267ea1f03f4f7005662875f4c1208a8389a7f7370a77f65632083b60c0f56215262da2c8421e625272f46534526251a547

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 9b7b26fc1a69668c864244af1aa18eeb
SHA1 44fadb163bcbf160e33d56ca594794b1a33a75c9
SHA256 ec49ca1eaff75a7b6f1ecc3e9c4cc2986911d7c7a5bc9fc07d051b2d2ff319d0
SHA512 67770d333a74ef2fcaf1b0959b4844ca5fdb60e93f8fc73885ad9b8e9f9b845028277f1e4d9e181d4082c10f705fb99a49cbbc0fca4a6ab973a7cef3fee5f3dd

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 f5398fa439f0ce5dad7838a622e680e5
SHA1 f5b65421cb73db66d2ff07d398f60e867a4ede4d
SHA256 43441c66fb19ccebd5f6a696427a67e87692fc7be85a7abd4353f3b780d63ef4
SHA512 aa05dfa9cec8c0a05357e9ea1afc8682e579719304ded1b83564cbdbe88f371c01695155c7c3a78cf310bbfa4c8c434a29afe3de50fdcc2f02b9d758eb028f35

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 e5b3cf42f85d05b7e13a7b45f2d24302
SHA1 61fa1c9a6d116514afdeeca62977c64c9abe7c1f
SHA256 58d5bb3077a9c148c0d547928eabe84b205f55092d0dd416cbc842687c12defd
SHA512 de36f11f6fdf38bd52ecd6ca3a27995e74a69d95bea51ebe1591ad192debc19ad1d0b55259937a6c20753f35d2e60fb71735f4932741fc7eb4ac996a85e58abd

C:\Windows\Temp\Tar3854.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e6a11c358cf13eeba388f0a0a1b5c2dd
SHA1 ca94c24dff3e9a7148145e7da0eb8e4c68b403bb
SHA256 aa7634021018e4b33bcea16e4388f603990bc80d9ccaf85feca31ffadda1baf7
SHA512 1b96b7e2e917cc15e5102d4fcd2b992f42d36a3536900d56e77f6bfc69d74327897f32e6391f86339ce37077fbe401cf2eb2dbbcfe0f110ba61326c7d03808eb

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 58eefd0de86d7a0b142eefc1425f4f77
SHA1 4c361e8e489acb444907f45aae5c0c91c194756a
SHA256 7d83e17c8b666600e58775a34ed407a7094384b7d55f4622eae4fbe074af2342
SHA512 4d63a98d832560042bd7d76bafcab49c6c0b6f2d34513f7bae80772ac6be7b39259e8029131087cdd6fcd445a40ecf30bec246fe513a14a35cee27e330bb71cf

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f9e0df88d112cc09fa1100153fa1c570
SHA1 7ee2521c1aa5b3456951ec31de41b27487a83ed1
SHA256 cf29b18c6f23bfe0a568aaa9be0882ca8c7b90e0e6e0af6bc342295fef7b222e
SHA512 22bddb3dac25975f3085fa4431c7ed0bde6170ae633397d60447907a3a09bf8233108f60e9c67282826f102f2b723ece741f046a386db725cab554aab327458f

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 42e630b74304ff2f570e2088ebe09b9e
SHA1 e01cca21447e1aae871953de6d600a93c9c007f5
SHA256 696de24328e7c3ddc4bd446f4f58522d5c24b1e3f9e5984d54a2064bd0b0f90a
SHA512 6b67c3b5099ce9924a861135341ac717e9551582738994ccdbabdc1afa97fa86a9048c159d7117e292a27e90a8db918140a335c425a37661b21324b712058e35

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 513a54973175587212b9830b856cee4a
SHA1 7afb313e6e3f80bead255a0099a08ea32f893d17
SHA256 619974294535f2d2edcf95596db2e0a7ec46d203233186a6b8124ca27cb549bb
SHA512 621b452e5ef249d221c9844f78d4b1317ce71e74b30b8ac59efc18be1a14aeb2f7242c59367e7ddbf62cc07675011964a6fdfce5ac5bee3ed98927a2d26fdabd

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 7f0e76636d02c65b30e9a0b8bd8b7694
SHA1 8c56fbe8126d7ff8ed699b9282a5b1f8855f3fa4
SHA256 5b5b70e4e23fec6aa532ee86b47ac7abbf391d2a4d57bfa0813a29577313c1b9
SHA512 fce607e77fce0dd51c456e0ec3f58dc962f3645bfac6dae881bca28ede3a29ef59e4632da73a6c561fcab572c92362a71f7251dd8862057325099d3072b32bee

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 28ca63219a35e676c53f2c3a3decc5ce
SHA1 b2eeb03fdda48dcdc989b71f7051de13c1e39ea7
SHA256 b2f80c1147e8b94d8f8066a1a2f35cee83f3abc9314f9422d12d4c15e0ae55d6
SHA512 10b6e4bae7288cb488cb797031be610ce0db6fa9995ea30d39fd5c9e1ae8fb80b0869fa70aca5a37bf08e58910779141562d7ea66dedaeda49f5874ff4bc796a

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 ea000ecd305eb724988985afd19cd3d9
SHA1 9b5e52498d9fc6de813707e2272240ef25aa6167
SHA256 11d756718ec95e671f29326e2b446275aa8390e739994aade2d221ec9c7f5e8c
SHA512 0c17c1b463369ce54b9febc9ded6610758afbd4c8721936fd14327d73fde8ed575ec9a2ae493ae1deea3b61a7028b4017226dd9178c27f6b3a2d48c0071df722

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 ae1c97f2f47e593775707fa56e10b824
SHA1 af40faf039834913c3195393548078fab992185f
SHA256 578e1c49ea60b1451159abcc7c7b405a41f041fc7bfff19a5046a0ec9adb89f6
SHA512 96276ae49d74cf33a6efd98375e8bc6d411f4b22b6856d4f311250f185c52a7ac3f9c02e744920fb8a5f70b0146c2540aaf75c0ea97b4786ae3f6faa1b47e65a

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 a416240eb6c01aff8d8acce148c96633
SHA1 72315ad7107edc695ac9d2b9a377337000748fe5
SHA256 6523e1baf7ddc12219defd6c5ebbd98cf0715966491c6b95400c5091df29c7d6
SHA512 ec3e38986f003169491168c19bb04e5d35b452c1d0ceea9a95c800e13f4674f3b895ca52e9127b29423c1ac78b2c98d39d3a7678ade1579e8848d2ed1054897c

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 cb3451971366773013935cb09bb33207
SHA1 b7534989a1b602be50dd688d5f028b840faa77ea
SHA256 f836fec5ce60c6a636402f20dffac7382db321609038eed52b3cc26488d5fa23
SHA512 0605c234d61ea006a9642b9ddc8536987554cd14beb10f71186e0b7886d1f4e4db6e11d558604464423f2e5b4d269a70de2d6e95c6f2a74d40552fa2ea5839cd

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 62ba859a19196be2307f77af21bd036f
SHA1 b0d4968d208f412906fbafd1ac9485982fbf94e4
SHA256 6a15571f5471ab3995567dc51f06f1a1a8a18e348c4e46663375a29de2fe0916
SHA512 cd0d19d0b1776f24179e92e1ac2a25203ff896410f4477679cd3e031e9242b2457c00f84cbe022b15cfd9a65dfaec68cb52556ffb18124edb89e922c8136e652

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 27e1f628d90f8db7c010d79bcb10c2cc
SHA1 4bdd93db860543ffd61614fea122aea0407cb29f
SHA256 fa44ffe89c197b08a1886f99a589789c8e5981190f02b6e9d1a0aa44b1ae4566
SHA512 ae0c4a5363256c3bb172e8102434c07bdf11a4b3179625dc897ffbe30f2ccbbdc0ad9ef0302b50a239d6b41ae4112a70f55ca8376d159f4d1957589736725fc7

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 159e1e7b6d6f053786440ebff337a7b6
SHA1 7bdaa1250f3fb6140c6bad35291385567fbf1d9e
SHA256 7d445f8c7ec51ee9f931731f869aca5a03c80296d119279b5214b1fe46e5e564
SHA512 9bf6d137be9cd0f3a6d51c3c19447396c62397f66df58f6649d6cd3fbd4b7d2c27d3cca6256646e6b5cf45c6249d71db1dbd37604becd2f2e227f6a80e4c3815

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 a49004cebeb9e869b28585567850f40d
SHA1 f6bac09258f0439f202181a44e102b881c9b73de
SHA256 abb27657e0b199948de65a3dcd57baf6f37f76c205fd37a5602be171ab8c5283
SHA512 d9b00557f290dc46ea7b83be42db9a184c610499163c9664363d56fc831955b3998ae54652f374e5204a85edb7eb65e3de903db6c3409c29f5658b6fdaa383c0

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 7df9ddcbf936ba98be510724068cb579
SHA1 e289ac44403c984775410658adcbb1ac3951806c
SHA256 a87e7dccf03a6ad148ea97ad902ba604758be1d3c8db00b2fff92c0e01bdbb5b
SHA512 876774a60185b27bb8a73c26a2e32ba9e0823eeef0c9d1c08c6e09909fb8db6eeb744d7498f4ae1e9d9a7ff0f74222eae4d34381b67c1ef228577c4f7694ed24

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 a7e6e2d3b4e5d009313a1777b5fed2c3
SHA1 da1e16c2154d96e516f21ead6b32208ecbc29a9b
SHA256 3348e84e5945fa49b659cdecee55d48093713e5b2bdb20c24d696b8cdde89c95
SHA512 740b0df2721278082e5e604b95ea195c19d619a4ca32e38c6495c37b8fd72c264f3b7f912ac67395a1f7869c898096e59dbf3a8734f5a164bae74ed0e76743a4

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 df72170d1a6e9863b96a74e461fc5672
SHA1 704b930a6eeb1ce60bb21933812a0b2a487c6c9d
SHA256 70bbcd3d46319e510e6a9e14e342d7ce53c3386a659a2950a0bd54ba4e1e690e
SHA512 bb4dec8a1bcc09ef14834a0d5ecde362ecfa08ce1d22b3bb0dad7130f41189518c080df413fe1b8fcbd7bd9f57b7a8b019e6945b7791c33b4be4c3484248bf73

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 908ba396753b09d326b64392fea8fb20
SHA1 02df592f5c4d8ae14b43a102c68af97abd700466
SHA256 7a5983d1be676a693fec30d0046b64d0bfcd2459df33a102cace0f394d42fa8d
SHA512 93039f8d840be6655f389845e0819bf17f247630ef9ef584f0595b4a4e175d1d7d258eba7c7ae13fc0d7d9a2c0279161066aaaa3cefab859b017fc9b7081d934

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 0aad864700d0d36a0d06718fc8f28801
SHA1 25fdfe55a4bdf5ca383cb34cdc06dd75868aa59d
SHA256 7534b2b0c9c15f6617b70580a75fe2f270af3719b378bc86aec0a44ded00eb9d
SHA512 baf2a8a7fa7914e581b1cc36fe2e53ce4cb8442c55faac37af9a8223191d272671e5e42302148ae0cbd288968066acbdd0603ef1ecbaad69ef117fd234e4137d

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 efbb8f6f0a0edae8aa3e0671ca81d140
SHA1 4225b423fb903a43fb1c78e885c87a533f42d5da
SHA256 aecb81181b60d362345cab9a00bc1f80be3af58b950b8d34fbd2caac378ba05c
SHA512 ece6d178c9eb8b28eeb07f2431275136285b79802300b1ddf8d4866986fac8ddb1a6814a49f586af473b3de3f3bbf6a4814a87c51669d4f021625f4f3dc12fa2

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 7d3b720ac1a55774474a25f2db43fa6d
SHA1 8e0f0f44b1a93fa7ab49995903e8cbc6c330cf24
SHA256 0e198e6c6215108eee4bf3fdc3604b294eaeb7ad2638d055c7144d4b1383b043
SHA512 015ee30f9ba55a41bb673f7a35121eef92b0606c1c241084c6d36742da9b345a3a326d743a28cf6bde1d04479484258466083e54be181236afe4c6296a6e8197

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 b894b1fb9ff2019996c0f08feb4396bc
SHA1 8b3216de48a876abe9b4aa54dfd1fab6274aaa48
SHA256 418248db633aac1f8b56961bf98e6354f3bacd534d45a0c685dd9fbf23183c01
SHA512 3a891ceaebda6e86158a511a2a6c9d5492d1e10c13368169a3f93ba3e1e143cc709e6368a47f74c9741ce2b5ce59aff4315b5457204903a8cb42c5636a60c606

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 926d53f818469a2c3c18d8eefaf57192
SHA1 a0e64052ed82ab0378d1e3a9d9c16c8f661e027c
SHA256 4fc00ddcd168d807eb6040b004685ab888b8cce02db93feb7e42ae2f21ee6dcd
SHA512 b884994b609d3092fffa08b0f29250da4f07f42378d1c84ab99104e1a8702fae7f8764987c2c47b9eb098e087856052ea4210acb8566a9ba9eff979fc137cb50

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 3a747923078c3a4ea941570be858b6e4
SHA1 a3f8b85eb10dd2c35dc82b50fa58000fbf73a835
SHA256 dfdc6ad003a9b3489942af66686676decb6d42ede00a41a1fe8ae68f42c79842
SHA512 c6f280ca417823cb59ced00df71560b1b9be7e9be9a4f63c7ad0f932f2143c823d5d0ab4f25b8b3c98010814fb90dff4ce11ad8b4261904d4f7eb7fe824a1c8a

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 524f83f4cd001b5cc0e4ff3ee0addc30
SHA1 7788d72f925cf766025df858d00300d189e67405
SHA256 fa83249d9a0dfb0a7eb0f2a46fdec64262bd63150e623627bbdfb21c01de5d11
SHA512 cd032d709521088211542eadbab246ef61aa53fdd9c21f989b44914714e3cf2025763c7a3d17dfd2bc79db7267620af29945c1c470802be63f2dd5fdd0de4a30

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 e426a4fabfaee132137750e7ec59eb44
SHA1 79799101ff48bc295801efd5ead08f0ab94047f8
SHA256 71aa416000783d3bdef3b3c3f49a3e9afa7d7811a75ec30b1d695aa2b132e9cc
SHA512 bb7717232839ace56a4900cd74c22a5e2d2bf0cdafb2b42e724f18551da75b01dff74f438034bfc83957f90153f604c4beecbca8ab7569f22cdd608284f54406

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 da73029849f0599f0adaa51e3367c244
SHA1 b45c3713aed8fd7956371504563619f5afece8a4
SHA256 9a2cfe3d6ef6e817f74f489f3fffe27ad83b20c716a0b96f4870e119d1cdceb2
SHA512 e5d60d8d2523612618f6826d7078c8af5276c88096543fde905b08628f784d5f030730264731caaade9aae4d1e5dee42985ed1ee31f94f91983ed9b5d3318572

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 9bd575b970a0966d77c5e7e2c7516804
SHA1 26d1d23f7d5294d7b8271ad7bee3cf5544b25f4a
SHA256 0e1f105b20fa0c3ba29ed475eaa7498e35011db46a4ee080eb3e4d48487f45f1
SHA512 514343d4db22b8a0d79bdf9fc3f7b92e22fb2c8ffd44fe411bb64ed369db3bec2a3aed8199ae2b163d4eb989ecd8d021af5bae05b4b8f8dff9a53a7c10b10062

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 15:59

Reported

2024-06-11 16:02

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_464376102 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Enumerates physical storage devices

Modifies boot configuration data using bcdedit

Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_f46df5eb-8fea-4bd4-9b36-ff041179e0a5" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_f46df5eb-8fea-4bd4-9b36-ff041179e0a5" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\LMI_Rescue.exe" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\ = "Rescue Com library" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\ = "LMI_Rescue_srv.exe" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LogMeIn Rescue GUI" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B} C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_604d2b5e5d16c8264de15ffee5fb2018_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x49c 0x2f4

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe" -service -sid f46df5eb-8fea-4bd4-9b36-ff041179e0a5

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe /deletevalue safeboot

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
US 8.8.8.8:53 control.rsc-app23-01.logmeinrescue-enterprise.com udp
GB 158.120.18.175:443 control.rsc-app23-01.logmeinrescue-enterprise.com tcp
US 8.8.8.8:53 127.18.120.158.in-addr.arpa udp
US 8.8.8.8:53 175.18.120.158.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

MD5 ce231f194297fa2b56cda3258ec94686
SHA1 b4498461c0f7a8622ce159d578d903df56cb68ae
SHA256 fd1e496e73ad49ad618bd2b15a9fcb580944f00ecec79b096089700048cf0251
SHA512 a5b3b60219c0b0b1702b945784c28831e19c08221e22d0bc06741e969cfa76218e05b055a7783b717004a1b4b7d06fb9743497ed3f1704bca4b026d7e7bf0786

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 4392f8ece3f263a51e18b0038cff0279
SHA1 db75a03fa7afdf2cedd3b3773a192cc7fe86b29d
SHA256 98b296443821140bd8d9ff1f5f59d16794d1307497f0136aa2b52399216043bf
SHA512 db59cffcf0fcd19161acec123b29aa9eab80b145bc4ea3a36a24142675d1a3b285ed00067b95490faa4908e9307b4947aae9b4d33b64e464b442edec7cb508b1

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 476109c1fe3046b1ae75343bb84b480f
SHA1 8d4c5d6a7eb771743fa8a216e1216941b1137cd7
SHA256 93682cbe21180e4381330e4766ffe6675fe8a469c28d61a05cebb98597e37ef0
SHA512 e1fb36d6265f75145789aea37c0f94ce4c5a25d1e385f4eab5215d420ce56a53edbcd63390bd39a67d8e03e3567688a012d5eabe218f42f44a91fb41e53d8d8c

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

MD5 b56450e3b8209039b134827f8a668c7d
SHA1 26f77251e504530addbc4032c3646724d04d0399
SHA256 5a17eaf2a7e1afe2da9e6bcf665fe10e787af87147234e7ae901f1b55d65222c
SHA512 b0d728368f923444e3360188ae899674c9dd2df044829d9706a38fba0e823f87151dbd4763432299248ce69ab9a8aa43843587b00e981cf18170876320cb7d26

memory/4536-34-0x00000000039C0000-0x00000000039C1000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

MD5 3d79fa32f03540637418f85d19c3ed60
SHA1 ffcb069a0077a840e8a96ee26f0256b0d44426cc
SHA256 6b1a8b887177584b63aeb70c7f6c27eb14dfb0de8a2a9b67996281b1401af9d6
SHA512 545e50bcd539547a90787fda35021e4e5de5d7f59130f35ee8cbe6b3ce67359dd8a307482630382757ddaa31cec53b73b899bbd77312cbae77d6a51dfb86677d

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

MD5 8fd0bc19eae92f5325a5d48af37fa6e9
SHA1 43786e29ca62ea11ca97ab1999238c192566ac8a
SHA256 a174e3ed004811218ca55eaaa2f5121a59c094e1085183cd32665c90c54b7b73
SHA512 3bb3548f6ae674393e8f5e0b95a1914878cca139a37cbf39ec8d3bdf6e85b868ada44356e798b7225bc421c72fed6821b6ffc3dd4cd32efc1e393e34169d580d

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

MD5 7cf6bf74754b4de39943fed761fb837e
SHA1 724593f1c75943274adfa0564192ec2004367aa0
SHA256 4cda059840b0552fa78121576246a3745785ebc845def31253d5af0de98b77a7
SHA512 e3dd723100c5b298fe9605f33be4dc7c22118af6704e10de28d7e774539e3bc4e49907fdcbe84b5e21e3f93d7fbd5c8c79fe536fad8070a8b26c72625fee7599

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\ra64app.exe

MD5 3f62d06452bc7e40dafc6f5cb7a78bd4
SHA1 0200785066d8e1ebeaabf6e7dfa59dd5dc8bf908
SHA256 f3b61319e6892c7754e34f630edbe13878e7cbc89dd32c8dc2efffb81ee3f1e9
SHA512 e35c0cf1e2f78e3e7f2e7f5385ea33716b55154011425017df34a9d474e70cfe7b898205a93b6d7ae648a3852c0fb3a35f99e0fb45a89495646289bd18e485f8

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe.manifest

MD5 05685202d29943a5be58ee16b08baf46
SHA1 c64937267cb2b096fe1304a0ce6f22b473a59df7
SHA256 60e9bec55a6782caeb9f4a0454bdc61f3988cbe99faf31d053771e72556d5573
SHA512 c984d4de4b4def02301b198d8d29ccc66342c7dfe27d6ea4ceb968f57ccacc2abed236945a224ffecdf222b72d12aeca6f9c93d7413f8ba24c7da9d7930f1744

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 331066b059e7e0aff65d6e902780d1cd
SHA1 c2c493997186490cf5ba313aefe02cde9cc61052
SHA256 801e687f064c6886b4f68bd64545aea9d8eef6a8c343da59da0cc82dfea2ef24
SHA512 b71924db38fc3968ea8fad60399921eff3d0407b4ce2e116d3655581b197efd6cb7538afbae3da9073b2ffab7182f927dae93b10f5ca083a2a988b3560909a5c

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.info

MD5 ceb7c79f6cf6bfdfbc4ffc0975e7c3c0
SHA1 a0bc2c850b87548913edd37ef1687939ab007a6c
SHA256 f214c4c5be30a2a5273fd42fd1d7a934a61ec4521b7477ad55c93829501131b4
SHA512 fd3b8cb830edf8c073c1fc03038d46d109be53f20abe2b922c6aea8d0d97f8e5b9d042604d68c608779274b268a4a691f4b5bec4e087d089af7b89c1410086f4

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 9432fbcfb62b75f8120498071e9c5deb
SHA1 9a35664e5ff0646616ddb924f2bc1d87188e98c1
SHA256 d741641c0d4f71f905f8edff86d60cfca62efd8190d64d29edbaba816ebfce2e
SHA512 d80af7674d56c2fe6f9dd7ea7f870111c3b484efe8700b9777f98d84a4592fb54852e0e8e5d8deaf043956ecd8ec4f8575f3dddc8f42c0045eb848870b059fa6

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 533527c20a4160f159332733b4d24253
SHA1 c3d0af422c922c833d9b2785e83cc1e7aab198a0
SHA256 a694e6180d9d71b8befd0488904252214cbb115a4805f139efaa2297bbbf8ad6
SHA512 fda7cd8440f2033b1716eb8841af7ab5b066eabe0393180aa6e4c75bac4d2edecdb88c84bd6072f01ea3b031ab1d6c365c97e089396b9b4e23e4c02253ec0c59

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 a9a5d127fc8edf828b7593b693ad7f2f
SHA1 9534a9e03983f377cfd31684858c32801606d6dc
SHA256 eb41906575c4d080024619b8948de7dc865e180645966cc6eba85891d8d2abaf
SHA512 7923e930b15a42335234a4ba7501f97b0aca081a6a8054e9aa2405f1c857023be07a684b6539825781f7e22045bea700b603c38104b7815de9915c9cfefd7783

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 a5599952b3f52db7c42f4e134922de99
SHA1 479ca215bb4406e93812744262c305939c9c0a04
SHA256 bd6c1d7d9e3049cfae699edde3edbacad7aaff26b13badf88423862829392f99
SHA512 31adb7d184009e5af4c2529e85b527a6d9348597058a192a3854a0e12c29ace5a321e92f99549f8ae651562f39d37a521138911ed93c11242c2c8e678d71f3e0

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 568eb6d3a7d30d50c87621c49d66a924
SHA1 fd5470eab82a2218b7022d2bfa1b604391d8e064
SHA256 46c4b223d0638e9f0abb9edf233778f5b8efa6c2a273293d582b7ed9d2312550
SHA512 02f670a95dbee8a4c69510de2a840540e8b784f2afbad71bfae20ce3b87d406de4860cb13f12043e1cea22543babf0f26ee3fe71f47a0e1e35349be444684778

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 19613b95043ddf9abeb19a35f663b8f3
SHA1 d84e5c3e6406473df36070c0efe1661713c497d1
SHA256 f2437c89440b92e7943ed8d5f9765c6828fc2828c7049b2263ccfd81dc7d5e12
SHA512 8b88a1c622df2c817a0b7e03e88d5b93ff16fe380e7fd024224786e312184f9c0e7488e071bcff3262d163cba370603cec55689715d5ee8e36eb32c695df3dae

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 d0fce2640fe6270eb83c06e77c334ba1
SHA1 1b4d04e05064bb15006ad2a174b37938ed6e1905
SHA256 2e070fe38b8408bf49cf12f26778320c487024594cf799f243add5b1f3b9f788
SHA512 9d9f6a93280d0aaa8740b7d12e3c1042dfac92a2fda6b477d50c532f4e4d456be79b34dd09bb0ebec4a07c141bf71e0237a98ba846e1567146b5ebd9971b603f

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 b89842601fafadaaf3a5a30db64843e6
SHA1 ae543de22241617099086914a30667154b342f05
SHA256 f40ebefb36ab7884e2811d43838fee7f088181b15f5e7b9a89f34760e5ccc47f
SHA512 88445eeab4563d795d1c604d9eae155ce1ecdd3e2b863aaf8bac0cc569e99a3daa625eb4884927337ee92511b95b84a421d8a8ba859e5e2f19f477beddd81efb

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 ae7ea3942f10e28300d4e947aa17980c
SHA1 20a73991e858213c63d7a0fe82a6d23ee773e109
SHA256 e6b7db7e7639b6997706d484adbd0fe4eabd3376f3dc4e3a8d200d1e13a3c08a
SHA512 95514a2203db50d2d89992e4a824a88652281acf0f4014c6baaaa452900ca8f4c4d5165c8f4d9ffb70eb1f03b5460bddd5d7c283bd30d6ac34214a98d829967f

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 e8c0a91983a0cf42eab45d6d1632608e
SHA1 105fd865c61bce1cef745a68fccc9a2d78949f46
SHA256 12609b5ff96c2bdebca6c3fe168e12254bd4598ad3fea414ce9c8d839576501d
SHA512 a8e4274cbe80ac67e209b7b9aea8cc2bd0e85a420429240dd8b7489f662bd41919b390af9d07c6832986ccc1c8a2eb9da517cce151ed91b2685208fcba765f15

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 d758d06b22437a9776e10801d29c1fe4
SHA1 8159aa2899c58627be0a4c4848119f075cbb9017
SHA256 73a378b5e54e4a1dc14a4234664da61a17d65cdaf91ca664f871b7eab1f13f45
SHA512 5aa4301d681a0e8e50709c93ff7ebab41e712fc85272e314d565580cd01c75fd60c787a480ee87f2af43551369eda4e09a70556c7261232868cfd73ff87009e7

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 1d7efce65caffc332417e5e2006aeac4
SHA1 275eb73f684998984b38cd267a0b2684c3cc3f87
SHA256 f3b5b55d538155092ccdf4a2a733c32ab6a3fc67835f4b8e8744ad379e3a41d0
SHA512 715038bf3e51b29185400188a44d8ee3137078c73d1120dbaf1348742db1cfc91b144acb9fb40f015f12412559ddaa757a5f47fc4e7aa53434e31e562727b83d

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 9706ed06b9c8591d9f634f1b93fffd54
SHA1 6ce466f0341db6387118cc1b3c3d44104098a709
SHA256 1aaeaa1e8d4aed3fed20fd67baf981cf32271c4254d05123159e61a763a82a92
SHA512 535f1eb4390ff38ae0fb18902c46e9074953068c2772ce9a349ee7919bff385b81cedab3f7f5cd6905e092c4c75d520565e30611be565d137e9a8298b9fb3ab8

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 8d0845f0b1303816a976a13b1a717c29
SHA1 ab26736225cb752c513ea5631f9deafda0a499a9
SHA256 e5dfc093aaf1bc9be90d5f6d1a5f556f96d6972395709d6b9688caf0c6323697
SHA512 8d94c0d3586e7a146d345e7f18585c47b2023f599c544c0c1c05d865739fe73f9949f2cabd05739d92050b3aabdf561de1e95a773342145164f16ec3410e5961

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 d1cce67151a33c7a66a7567c3f9ce6ba
SHA1 5d12f727753cf06d315c14d5e328e4eaa715e5df
SHA256 555b29b04a1a90de5879b7122a3402479875cc07c256d9c4af10461651a9fde4
SHA512 ac5a7eaf46abd317776c4f5f4809178002df2abf6248077c3b080eac6bcba5c6e58c3a23c0cfe30a4bfe9ac48695f38f779033e496422dd7581734b17a163d49

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 cc5165b940d03b193a6e6ef7e817c38b
SHA1 fbfee80ffca9e707121813dd29030422e279c6d7
SHA256 c33b0d4baaf52f6caa4e400f4c42464c566eda63b3e03596ae4443f41ae62704
SHA512 51db53ca6d70ee6f582453d9a4eae9ad12708f62caa9421c5098b40704847d2c81960b76ed7bed8a9109f2edc36f23ad8c0191e2a8ad99a604c0832bfe2c42e5

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 baf2e6a76d5dd2c3657fb089e8e5ef01
SHA1 f96cec837bfb76f93fdda609b1d0ec9eca823e13
SHA256 e0e200b532e2050f4b66c835d944a2e1ccdaa28886715ba924255a3cad5a70b2
SHA512 af431033878dac7a2178b32ecad2c39f45bf8b9dedc297e83c1f59c9675a593678f987ed2b0916399afbcd86a3d0cb33dd6c11501697ee275a0aa040a20813d9

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 ad43b68919015f174ac229cf0f193d65
SHA1 fa63ce9ea2423e22eb9d81e462e499d182d151c8
SHA256 e84106f446897a0309369c16b99e395b56803067465fc7e203b369816944bd47
SHA512 af12d229b24ad5572779da255948191be6de5f466d48d54ae8722c007e958c0a4e9941f8d82ab501b0d0337a7f9d4829c7c9dbb281e04bf0960664bb4955816d

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 29cccabf1426585a5aa5a02ec3b8b81a
SHA1 5b9f21bfa20eba69bfde806376eef432c7c2c5ef
SHA256 532e2abac98b2c9f1ae6f4e44cdf0c6e2f03c8b031d5981c91aa9e920a27490d
SHA512 828b19daf7f9c2214d049532a779b42b94727e950875ce88dc8f59dc1f61f9def58ff82b7147190209b99945192307f74d7281cf949038550f5d83b7dc47b142

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 1cc6f2241ffdc5d52f4e6a90311d297e
SHA1 148606939e4d2c1cc499e1871f568a91565e5921
SHA256 2fc0ee34b0cafc8a6faef2a6d24a541f8cdadb9b309907b63ed95a204fc4b9f0
SHA512 ec955b89c98d436fcc263053dba31c758794c170a68edc5d479bfe9def0522c118d7a13a3f1c7ebebdf871d99dbd137951dd302dc556ec7cbd98caf9730ed84f

memory/4536-187-0x00000000039C0000-0x00000000039C1000-memory.dmp