Malware Analysis Report

2024-09-23 11:55

Sample ID 240612-sfx8eazanc
Target 2024-06-12_6e30d4e845d590111302e350b847791d_bkransomware_karagany
SHA256 fc3cd301f0ff15fcdc1a608aa0f4bade2345205f96f982a19f8ff0a06db6b017
Tags
bootkit evasion persistence trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fc3cd301f0ff15fcdc1a608aa0f4bade2345205f96f982a19f8ff0a06db6b017

Threat Level: Shows suspicious behavior

The file 2024-06-12_6e30d4e845d590111302e350b847791d_bkransomware_karagany was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit evasion persistence trojan

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Checks whether UAC is enabled

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:04

Reported

2024-06-12 15:07

Platform

win7-20240221-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_6e30d4e845d590111302e350b847791d_bkransomware_karagany.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1121732716 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Applications\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Applications C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_6e30d4e845d590111302e350b847791d_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_6e30d4e845d590111302e350b847791d_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.190:443 secure.logmeinrescue-enterprise.com tcp

Files

\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

MD5 735ef1b70fad1fba9793abd27a803803
SHA1 0e082f539a1e9fc9fca3141613e813fc2e113779
SHA256 6881582e0dc0dcdcb9009b6cce6a0ba369d2372a7405dcbad6ce8d9425fcb68b
SHA512 4edeebc090af8feba67d04ddb44ad84f36dcc3a2918f3166ade99ab04422ccb0a4f4785ff95f7f7fe4319766f73128907a373b2a2c018eb5771a519936b6165e

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 3d3c48595c4a0dbab61b53ce12912824
SHA1 6f5e1955f43b305c1fb5f041a684ae323f3671de
SHA256 8d5c9f10b5a6a5c67913a5084798e1e5012d17a40c710e11f7c6983523fc855b
SHA512 22761c973b085d9ee19c96cb35402da37a557d26d9fed10e406fbc4ad9c033122931cfeab4726be837007e6126d896ededbdb4c5569eed87129578c208c3f9e3

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

MD5 bac4bae81b691ce3c15f05b6e9063e08
SHA1 8b012d50318bdc868097d3f6cf1d7db7c55f3d04
SHA256 f5271dfddd6ba8b37ea950cb839439d4d38cf0de0400b6fb9f2cad4ed87b41e2
SHA512 7ece1da4398f3ad0c65e99b2807ffdaeb89c8397eccf5e5763ed67498151a27cf06297326c651b91c560a0a29532a46d68a715a0dcf133c7dc055e0e1e5309d2

memory/2204-35-0x0000000000480000-0x0000000000481000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

MD5 8ad28e79941ce3e002804dfe1722ea87
SHA1 f0a6461b893023261056dcb0dcfab0c21615a24f
SHA256 63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933
SHA512 de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

MD5 488e9ca1377ac6a7952f122520fab933
SHA1 b29f32f46806632fbc3fe706cc862989f7944669
SHA256 a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088
SHA512 591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c

\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

MD5 f263e07e90109e09ff4e5e5419136c39
SHA1 2935f14136ba18825bf6942ce0db8ef4984f9176
SHA256 dab0fcfdf3cfe20720876485a5eac1700974dee37e06b5e71c5bc89c02e5fdd2
SHA512 cb0173e92acfd3729aeb801ef8ecbeb4d35e1b09dfd47365e8889b856fd214a56189f29635e859b9cdb2ce2c8ee0ef3551d110200627ac41ba9b516c91c2ee14

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 6cd2993ec0cf2f6f6da86a6bfd7bbed6
SHA1 7e62e8ff2720d159a29cc040ee85aa831707b2ad
SHA256 8b708a6065a9a33a328158f6a12841b318f206cac5526d985f93b6f4e265f07e
SHA512 b58b248e85f4e8fc1cf2fe6eb155ca25f9a8d6fbcdbd686860d6aad88a6738b8dbbf952102d4dd1919b9297c76cda318e232e16f247f5e779871fe33036b2e1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar22B4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 1cf633cff95298a0984cf6f031ee3080
SHA1 f714e3c2c016af954a7be9623e6c164fcca23414
SHA256 07215fec7d6bb9c475437e47347188b47a1e8d4a9a3b059201fb752aef51084d
SHA512 18daecb01c8c1569259036df9bbe904f6eb3577343a67bde82a02cc22ef2abfd67cee5f25a2cc9a366e9475bc1df1ecf6a2335fd8067746bba17632b5a0c2c58

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:04

Reported

2024-06-12 15:07

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_6e30d4e845d590111302e350b847791d_bkransomware_karagany.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1121732716 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_6e30d4e845d590111302e350b847791d_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_6e30d4e845d590111302e350b847791d_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
GB 158.120.18.127:443 secure.logmeinrescue-enterprise.com tcp
US 8.8.8.8:53 control.rsc-app26-03.logmeinrescue-enterprise.com udp
US 158.120.24.75:443 control.rsc-app26-03.logmeinrescue-enterprise.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 127.18.120.158.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 75.24.120.158.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

MD5 735ef1b70fad1fba9793abd27a803803
SHA1 0e082f539a1e9fc9fca3141613e813fc2e113779
SHA256 6881582e0dc0dcdcb9009b6cce6a0ba369d2372a7405dcbad6ce8d9425fcb68b
SHA512 4edeebc090af8feba67d04ddb44ad84f36dcc3a2918f3166ade99ab04422ccb0a4f4785ff95f7f7fe4319766f73128907a373b2a2c018eb5771a519936b6165e

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 3d3c48595c4a0dbab61b53ce12912824
SHA1 6f5e1955f43b305c1fb5f041a684ae323f3671de
SHA256 8d5c9f10b5a6a5c67913a5084798e1e5012d17a40c710e11f7c6983523fc855b
SHA512 22761c973b085d9ee19c96cb35402da37a557d26d9fed10e406fbc4ad9c033122931cfeab4726be837007e6126d896ededbdb4c5569eed87129578c208c3f9e3

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 5527421a948bf468369c515af7f0f36b
SHA1 0d18a30181422630f03e89c0d158ba68745771c4
SHA256 255bb41417f0f15b8ecc60fae58d8f558b1d1af1bd58e596769ef4e2e7c193ee
SHA512 313c25a69a98f3037b7318b64463ee0baae50df7feab0174c2e7b4d26a9492fcfa1cc0a7bd2cf266a8443d13e3248f36a34f64af357d1459dc1a1ddfeeffc428

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

MD5 bac4bae81b691ce3c15f05b6e9063e08
SHA1 8b012d50318bdc868097d3f6cf1d7db7c55f3d04
SHA256 f5271dfddd6ba8b37ea950cb839439d4d38cf0de0400b6fb9f2cad4ed87b41e2
SHA512 7ece1da4398f3ad0c65e99b2807ffdaeb89c8397eccf5e5763ed67498151a27cf06297326c651b91c560a0a29532a46d68a715a0dcf133c7dc055e0e1e5309d2

memory/4868-35-0x00000000030A0000-0x00000000030A1000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

MD5 8ad28e79941ce3e002804dfe1722ea87
SHA1 f0a6461b893023261056dcb0dcfab0c21615a24f
SHA256 63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933
SHA512 de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

MD5 488e9ca1377ac6a7952f122520fab933
SHA1 b29f32f46806632fbc3fe706cc862989f7944669
SHA256 a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088
SHA512 591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

MD5 f263e07e90109e09ff4e5e5419136c39
SHA1 2935f14136ba18825bf6942ce0db8ef4984f9176
SHA256 dab0fcfdf3cfe20720876485a5eac1700974dee37e06b5e71c5bc89c02e5fdd2
SHA512 cb0173e92acfd3729aeb801ef8ecbeb4d35e1b09dfd47365e8889b856fd214a56189f29635e859b9cdb2ce2c8ee0ef3551d110200627ac41ba9b516c91c2ee14

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 9aa651ca77cc7eda2b887ebae65c51f9
SHA1 b49749c2d4010e4eecedeed050ea673cb7caec31
SHA256 70a2c1d4e74afcba04188dea0a5bd8a98962d1c493043f0ca674fa725dc03b5f
SHA512 d190089065219f2eb8a8bc108d26944eb6f02089f197ec45df3763239334fd7358741cd483ac812d242e704188918d85a6274e8de84307295b8c0e5125b3987c

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 6e942f8073b1e0a18f8cca5e952c7b45
SHA1 095fcbf21f587d28ac6daaea17077fdfaa424814
SHA256 73548e0f047fadb93ec2c53bc3900876f543e322b1a8341d814bd9607b3b8d34
SHA512 8096a16941583180d5b340c490c53d0ba1ea9fafe25d2be7b6db27b0075f21486a2d63ac06d50f687259bf7e15ea142eb98b51a5ae792b8862d7ee7f796365da

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 c04ef893f4b4d72a8ea0bd6bcaba9432
SHA1 ec8c78409d96fc6b47bbe69eaafa82afbf8df8ef
SHA256 e9764571da47224b216fb0f7559f76bf49803766da2713f4c17e0c076badc89b
SHA512 58443553a9a10ff9f0ebee6822c5a431140350d079de58415fb0a1cb6dc2c333cc5225fe6d41b0288c7f0fbfa546d17eb3a06fd08e2ebf4b0cab326e5bcfa35b

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 689d5606f7ec80d54814a77751c351dd
SHA1 3f931d74f802ba77bad86d51dcf37faa2b79fe27
SHA256 d58ef04258e0ff78e8c7a382c89ef6db8117b3b000ad5227e3d89d10b925af65
SHA512 cf94e3072c78f69cfb0b1f2801ac0eb6c011d147099d2114c21891367730942217587f3a47e09a62be9c0c6b80ee38ee0afd8f30166149ee7e9ed864b15b513c