Malware Analysis Report

2024-10-18 22:05

Sample ID 240616-wej6ya1apd
Target 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany
SHA256 369c9e5b131132059e298b9b7d4110e1d88526211f5ddda97ced4dd323eca037
Tags
bootkit evasion persistence trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

369c9e5b131132059e298b9b7d4110e1d88526211f5ddda97ced4dd323eca037

Threat Level: Shows suspicious behavior

The file 2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit evasion persistence trojan

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Checks whether UAC is enabled

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 17:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 17:50

Reported

2024-06-16 17:52

Platform

win7-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1981580648 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Applications\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Applications C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 secure.logmeinrescue-enterprise.com tcp
GB 158.120.18.159:443 tcp

Files

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

MD5 441009073bb9acb840e0cf2e50bf7226
SHA1 aa7424f651a1347d061e033fe384ae1babecc19c
SHA256 921730a30e98d64d8a4fd7a6eaf467b0db714c62e79acdbd092ef46fb612f89b
SHA512 0375e0dabbe9d9cd9f057c95e714003cc419dc7fc6c116da462fe3a6e50b5d84856894290476d0f1a6e5510661874ff3d4b9e873e8c9a7d5ec3800ad291892a8

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 ace33e340873d4e2c7846b10be335468
SHA1 3728d14bc3090f61ba7fc791a2c11e0720938683
SHA256 3e9908bba36b958cbaafb2fc42ee7eed7bf815432230768f78d48e1736f24e99
SHA512 98dc3c9fb880e0a29d799643a2d13dc26916d4340e99778d44cf1d995c5634ab454cafa3b653992b23353b19acdadb97c4773475e75be2e3c42597ebd8012773

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 2fad3dbfc737f774b51a6654958a47d3
SHA1 dc7170525517d8322345515f27c3df359b11254d
SHA256 c53c320540f1ecf2ee0d88a74dd4ec9781a1b0d83544dff22f96a6a6ce388bd3
SHA512 09877effe6cf71977fd7944a94309fb394b0594619cd9913001bcb486a46187de61de5ed5a5f567774b85a461a8baae4bc31fb423fc4ac799ed79e0257e87a88

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

MD5 854d190fd7b02caa1958fb343c92b402
SHA1 3d510716c839f2227c2436619d3cf38df9d0a2d0
SHA256 187c9b071a26cafa124fdbbc67107d98af5f930990fab66f2df22f6858c2e2a1
SHA512 041a4c0e895fe4d4efa6da91bf5c210e0232201b715a237d34e1c25285adaf537af3167ac7fc7c6869dfcc465e8606f37182d34c3a7c9137430431f65334a910

memory/2304-34-0x0000000000780000-0x0000000000781000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

MD5 8ad28e79941ce3e002804dfe1722ea87
SHA1 f0a6461b893023261056dcb0dcfab0c21615a24f
SHA256 63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933
SHA512 de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

MD5 488e9ca1377ac6a7952f122520fab933
SHA1 b29f32f46806632fbc3fe706cc862989f7944669
SHA256 a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088
SHA512 591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

MD5 f7c67b42655f17eae239f3229e373958
SHA1 b85b6d61395d4d32d8f471a913129f6d63ceaee7
SHA256 1cd30754dab9009d2b5b13aa940c8beb67ca7d3745ea7973dc2e167ba2de65f6
SHA512 8b48f93f63c52bbcfc9be86361a946e3234111920a448c379126e3c16f1ff3d0ef5e80c27261c3854af4b67f9d7b13cdb1dac3d0080186f00c610c86754679af

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 eb87f293be771cd3f4e7db5c7de07a30
SHA1 e4455f4141b2c74d1b4adb8a1f2afd0816c3ba06
SHA256 a229f45574dd4e27319f878fe9522300037b2f251588a211a56a950b8d6be2da
SHA512 dd9ecff3a351394bca93b676f756d824a8a69efac0c2437cbe955c5f1016284358cace283fdc54ae7dac2d30796dd24ffe5c436a18fb7bbd7261a8647a4b836c

C:\Users\Admin\AppData\Local\Temp\Cab649F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar64E0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 0092ccf961adbe44e78c87e5930be434
SHA1 f556afa0e11eb3c410b701c6d9cf1a1a630d1625
SHA256 0f215d86744d0f84798f55839e30485b6fe43847b5b85d26ab124b75e4c8b02f
SHA512 a1e18f631a0794fbf70b072a15fe667f8b4952f094983eba1f88e8bae7f04106471fba93b64959dae052788a2ddf65cdc7c4fd4d1c21a80c2214d49d86098182

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 17:50

Reported

2024-06-16 17:52

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1981580648 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-16_dc13a6e1633a19822451ca8d7669186d_bkransomware_karagany.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 secure.logmeinrescue-enterprise.com udp
GB 158.120.18.196:443 secure.logmeinrescue-enterprise.com tcp
US 8.8.8.8:53 control.rsc-app26-05.logmeinrescue-enterprise.com udp
US 158.120.24.216:443 control.rsc-app26-05.logmeinrescue-enterprise.com tcp
US 8.8.8.8:53 196.18.120.158.in-addr.arpa udp
US 8.8.8.8:53 216.24.120.158.in-addr.arpa udp
BE 2.17.107.203:80 tcp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.12.23.50:443 tcp

Files

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

MD5 441009073bb9acb840e0cf2e50bf7226
SHA1 aa7424f651a1347d061e033fe384ae1babecc19c
SHA256 921730a30e98d64d8a4fd7a6eaf467b0db714c62e79acdbd092ef46fb612f89b
SHA512 0375e0dabbe9d9cd9f057c95e714003cc419dc7fc6c116da462fe3a6e50b5d84856894290476d0f1a6e5510661874ff3d4b9e873e8c9a7d5ec3800ad291892a8

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

MD5 ace33e340873d4e2c7846b10be335468
SHA1 3728d14bc3090f61ba7fc791a2c11e0720938683
SHA256 3e9908bba36b958cbaafb2fc42ee7eed7bf815432230768f78d48e1736f24e99
SHA512 98dc3c9fb880e0a29d799643a2d13dc26916d4340e99778d44cf1d995c5634ab454cafa3b653992b23353b19acdadb97c4773475e75be2e3c42597ebd8012773

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

MD5 16b6545b1bc20dc562bfd439aef564c3
SHA1 73376b7c5f59d84ee9b0c35e7398414d81b1b57d
SHA256 73e1ab56e04df730f9638e03420730fb8da18244680ab023dc455915956da9f1
SHA512 54ab0d1ed847db4737170a6991bb7c8b1e820bb435d882f7e21ce1264766607691941930b4d31dac4db38d295e392c530628b7bea7a605bedf37e8c12d94e816

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

MD5 854d190fd7b02caa1958fb343c92b402
SHA1 3d510716c839f2227c2436619d3cf38df9d0a2d0
SHA256 187c9b071a26cafa124fdbbc67107d98af5f930990fab66f2df22f6858c2e2a1
SHA512 041a4c0e895fe4d4efa6da91bf5c210e0232201b715a237d34e1c25285adaf537af3167ac7fc7c6869dfcc465e8606f37182d34c3a7c9137430431f65334a910

memory/3552-34-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

MD5 8ad28e79941ce3e002804dfe1722ea87
SHA1 f0a6461b893023261056dcb0dcfab0c21615a24f
SHA256 63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933
SHA512 de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

MD5 488e9ca1377ac6a7952f122520fab933
SHA1 b29f32f46806632fbc3fe706cc862989f7944669
SHA256 a464401fa4d88186b71a63b13d669e4b692892cc9f49d63f089095ce0d8dc088
SHA512 591ea4a80dcfc73fd1c29360775a9f35b66b16e5ed6803a43a703261c584a479a59797c7ee571638db55323a8f61c674fc67298b07a60b83640a31b0f0a01a3c

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

MD5 f7c67b42655f17eae239f3229e373958
SHA1 b85b6d61395d4d32d8f471a913129f6d63ceaee7
SHA256 1cd30754dab9009d2b5b13aa940c8beb67ca7d3745ea7973dc2e167ba2de65f6
SHA512 8b48f93f63c52bbcfc9be86361a946e3234111920a448c379126e3c16f1ff3d0ef5e80c27261c3854af4b67f9d7b13cdb1dac3d0080186f00c610c86754679af

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 907c973f232e31e49a184519c3775d8e
SHA1 5bf7c8d16133b942c22087f44645c5c74cfa0e6b
SHA256 55911c772a76d11bf16161f8cec1f8019e7c409fde3040145b3591891dfa46de
SHA512 cf4b5b24664f5319e9e0e9c8e43c11a794d52b0a5399d7ddbc183ca03660dd8672b081e2548663a50a2013c8200346eef52ff426c215e935af422c3e8b3009c0

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 98b1078fe542f40734969b870da3bc39
SHA1 e29d0a6513eca6a0b731527521bc28c84ddc17bf
SHA256 c4edeb361a733f1fdf4c071ae8cee6f8a19e32363022ce3298b1cdc4f2b76092
SHA512 84ec4c5e828a3faf25947d205c925f88c6d180c80176f2a418e6a90c8955657d8f76e42e7b14ebcb2a6fd3b79c0f3572f0092052894ace188920eaa242badc8a

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 b42ee0a9809c791112305a8153d608cb
SHA1 1b6c31120c3a514dbfbdd8ca26ba273fc7d780b0
SHA256 da370839df8bc3f04bf8c17fac30557a27eb3687d1650c24c4181e98d621d259
SHA512 10a24fc9a8e05b5e2d859cdc37a6374b10130e9a9083b9f51d606ef34524d4e279fedd452139019fe34881f266654e35064c305d9f9319bdfeaf3f1148e00bdb

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

MD5 6636f0417f7127ac8716490316ff203f
SHA1 278ac4cabd621bbb69178b0d70f8f4dd5dafe039
SHA256 bc430b96ce122d322eb5a944f3dfcd3110355ab5c3451cb6b8a8b3537ebcd152
SHA512 1e3448a98b45e4f1cd037e26b8bc40bd42c54237724d5184377bddf077ca91a872af756f26a322b3135fbfdf5b6adc479bbe0e9f2e9c5089152436ccb2878258

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

MD5 12c945835f367c0ad272ba7e5802e044
SHA1 52029d9a23bb414f7011e2ecd2c9d6b9ba41d1f3
SHA256 6c70901bf3bf29c39605b6034986a4dd497070e02b86b9c61c2f0b2477475adf
SHA512 064208bc6f0f38307e90df849a39724fbe18d510c2e797a68e664839c230e4b287faaa4209f188ee9260a12dd613f6f0cae0ff3076f68b1b5eb5e253426fed25