ea9b6026aea3a93b028e37fd35a4683cff2b64df6f1b7a2f41beaaa93a6acc9e

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_c115f276310367495c865a6b9a25b365_bkransomware_karagany.exe
Size

1.8MB
MD5

c115f276310367495c865a6b9a25b365
SHA1

043b0ffc9d1efd995a02e14ce1263b0ff032fe04
SHA256

ea9b6026aea3a93b028e37fd35a4683cff2b64df6f1b7a2f41beaaa93a6acc9e
SHA512

b75e92c23af7a2b1bb276690b17e08c82a1b4b25c34e894f5c5c4ae45c923567fedc37a6bd4022c39bdd19b19ed12300f3a85df8837cdbf3a3c10134ba570dd1
SSDEEP

24576:zPbuyt09l71Xl65v+JmJuyOC3dCasolj5PRU9xW5Q7wQA5iF7k814QGl6ezyUtKc:zDuyt0/6mmpwK5X5Q7nS3Jt4SfRXbcw

Score

7^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2908	lmi_rescue.exe
2456	LMI_Rescue_srv.exe

Loads dropped DLL 3 IoCs

pid	Process
2188	2024-06-20_c115f276310367495c865a6b9a25b365_bkransomware_karagany.exe
2908	lmi_rescue.exe
2908	lmi_rescue.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1064020997 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\lmi_rescue.exe\" -runonce reboot"	lmi_rescue.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmi_rescue.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LMI_Rescue_srv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lmi_rescue.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1801A0BFF52C676E5F51CA71C5350277	LMI_Rescue_srv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	LMI_Rescue_srv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	LMI_Rescue_srv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	LMI_Rescue_srv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	LMI_Rescue_srv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1801A0BFF52C676E5F51CA71C5350277	LMI_Rescue_srv.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
1804	bcdedit.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	LMI_Rescue_srv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	LMI_Rescue_srv.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Applications	lmi_rescue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32 = "LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Applications\LMI_Rescue.exe	lmi_rescue.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\ = "Rescue Com library"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_9392c47a-23a5-4a48-a2ff-d9bbd6dfe495"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\LMI_Rescue.exe"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS\ = "0"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\RunAs = "Interactive User"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_9392c47a-23a5-4a48-a2ff-d9bbd6dfe495"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR0001.tmp\\LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LMI_Rescue.exe"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	LMI_Rescue_srv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	LMI_Rescue_srv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	LMI_Rescue_srv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c543604000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	LMI_Rescue_srv.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2908	lmi_rescue.exe
2456	LMI_Rescue_srv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2908	lmi_rescue.exe
Token: SeCreateGlobalPrivilege	2908	lmi_rescue.exe
Token: SeCreateGlobalPrivilege	2456	LMI_Rescue_srv.exe
Token: SeCreateGlobalPrivilege	2456	LMI_Rescue_srv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2908	lmi_rescue.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2908	2188	2024-06-20_c115f276310367495c865a6b9a25b365_bkransomware_karagany.exe	28
PID 2188 wrote to memory of 2908	2188	2024-06-20_c115f276310367495c865a6b9a25b365_bkransomware_karagany.exe	28
PID 2188 wrote to memory of 2908	2188	2024-06-20_c115f276310367495c865a6b9a25b365_bkransomware_karagany.exe	28
PID 2188 wrote to memory of 2908	2188	2024-06-20_c115f276310367495c865a6b9a25b365_bkransomware_karagany.exe	28
PID 2188 wrote to memory of 2908	2188	2024-06-20_c115f276310367495c865a6b9a25b365_bkransomware_karagany.exe	28
PID 2188 wrote to memory of 2908	2188	2024-06-20_c115f276310367495c865a6b9a25b365_bkransomware_karagany.exe	28
PID 2456 wrote to memory of 1804	2456	LMI_Rescue_srv.exe	30
PID 2456 wrote to memory of 1804	2456	LMI_Rescue_srv.exe	30
PID 2456 wrote to memory of 1804	2456	LMI_Rescue_srv.exe	30
PID 2456 wrote to memory of 1804	2456	LMI_Rescue_srv.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-06-20_c115f276310367495c865a6b9a25b365_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_c115f276310367495c865a6b9a25b365_bkransomware_karagany.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
  "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2908

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe
"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe" -service -sid 9392c47a-23a5-4a48-a2ff-d9bbd6dfe495
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe /deletevalue safeboot
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll

Filesize
135KB

MD5
f263e07e90109e09ff4e5e5419136c39

SHA1
2935f14136ba18825bf6942ce0db8ef4984f9176

SHA256
dab0fcfdf3cfe20720876485a5eac1700974dee37e06b5e71c5bc89c02e5fdd2

SHA512
cb0173e92acfd3729aeb801ef8ecbeb4d35e1b09dfd47365e8889b856fd214a56189f29635e859b9cdb2ce2c8ee0ef3551d110200627ac41ba9b516c91c2ee14

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

Filesize
96B

MD5
c5aa7fcbc080e21f2a49bfc57fb01f43

SHA1
df1b08503e468300f6cf080f89c10315745125d3

SHA256
c77270a226240e8a8a6cc7e2e3b49223be14324999e5bc1b08c8c49889662c14

SHA512
d594ffb8b422e6d5d2005961612cf3e3a00fa416ee2404acfa52218b936996f59bfaae2fe15cee072c8bdfe81a5ce540e36491d94b26d7005581a8cdc1910f27

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat

Filesize
210B

MD5
2d38f4ae2be665695a97fd867c9ea5ad

SHA1
e0ca7083bf3c71e9778da59b2a16f8cea2434e6e

SHA256
f3979b46e2aad57550466967678de9dbae5c202af805cb892a0f67b4b1e72f9c

SHA512
a8561c83c762ae5ffc9c295bc796caea140eb7b18b9852824002b2d04f7be9a03467682470b07a2133b69b4401c0bc872566257f9cfcdc53a30fd14c8b38e022

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe.manifest

Filesize
1KB

MD5
a8c8020969a888a8bdb145a24597ee14

SHA1
422b9856eb65d022a6828e6bd3d4caf469638a43

SHA256
3fe5fcd7dfdacb5c2026fe549eb0e9cffe8982d94c79343f20790c879d53d533

SHA512
bd40e3d8e1e145856aa5d95e80778a9d5beda5ab82396d616ab1838ec14c170ced079f55719716f3c6ee890f512864e2022fdc5e4dda7487ff1f246ceb5ccb50

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp

Filesize
3KB

MD5
cdb31baaaccacc9273484427f39aa5cb

SHA1
d6694cc7ace0bded5cd9129bdeb324c032a8d2d5

SHA256
003aa4deb3d5184fb7b618df99b680611cbcfa3d764d5a2a210ff4cae5ec96b8

SHA512
f2e10765b468b507a0476244d16797c5b0f5820fb45b8643fa3b37d78c741d724f35e29bb4ad2f99a9529fcd6eb12eefcfb7c28a9c16479bc002b1e4b41c39cb

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

Filesize
538B

MD5
e0d1ed58717bc88fc6f7497371a17a5b

SHA1
e1b27b2abae2fe379f489806f735375accd43206

SHA256
926f41ec34b73acd03c306da20a15208356f53fb33b348272bcc5c857d6a174d

SHA512
1dbd5365aad243132148714a37c1f1f7ea8df25ddbebd710fdc28567e3a9d532dd3a418152fac076316333a676241a656a99bf53fc59a195e6ac3dcfb3c882aa

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt

Filesize
668B

MD5
0aea1b7793df12ad63627fc4fa244a7b

SHA1
42f37d49d99758b084ff35f29069026ac21a36ad

SHA256
98c5c766450b576a276ed88efb9252c54bb149c679c6df6ead1a933a48b318bc

SHA512
877bd9f13ddd9c451bb038e8feea414722a3ff0191cb546f4f23577af9bbc6632c021be143b70077467efe9ffbd19e71b23469157b784cc882575e17f4ac1afa

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\ra64app.exe

Filesize
174KB

MD5
befaf7ec1d8e8fdfc0dcffff0ade851e

SHA1
54eac76d6ed3eba0fe7a4a301f5d560cd542ed8d

SHA256
1069dc1446eecfc43bd1d8b0ba7519bf1f36317b50cb56a2d1e465f5d25bc450

SHA512
6f5e694516c0bf61bbb0a97f2423cddc31bd3ed9101673cb36152c8eb369a1c7cc8242e8c207e136828df4773a53e9a79e8249058a3f1a9e6a969fce32741a61

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

Filesize
233KB

MD5
bac4bae81b691ce3c15f05b6e9063e08

SHA1
8b012d50318bdc868097d3f6cf1d7db7c55f3d04

SHA256
f5271dfddd6ba8b37ea950cb839439d4d38cf0de0400b6fb9f2cad4ed87b41e2

SHA512
7ece1da4398f3ad0c65e99b2807ffdaeb89c8397eccf5e5763ed67498151a27cf06297326c651b91c560a0a29532a46d68a715a0dcf133c7dc055e0e1e5309d2

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico

Filesize
26KB

MD5
8ad28e79941ce3e002804dfe1722ea87

SHA1
f0a6461b893023261056dcb0dcfab0c21615a24f

SHA256
63424e176b75642ebac9e5452eccc8c6956266dacc0ae4388d636d5bee5e7933

SHA512
de984c78aac30388c6a3ceb89435f4f9bbc51100a25675f9c01437dca320ca7db17bb166184435954374dff0c8e7506775a8bca786eb1a70ae6abea2456b3d70

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.info

Filesize
248B

MD5
f8d179e7ed695905389925ac73d4c56d

SHA1
b6c82872fc3ca640a29e1e77da456e5a59678a3f

SHA256
15a4e847eb99ab8e9d7efc819d932443e7e9c048dffe866b79d0ef1e35482d1f

SHA512
a18dfd4968b3f0b40977dd09a7c00072ed97f6e09ee9b6a7ce7d8b2c8e42db7f0f7bdfee92133bd0f778c14286594c4fa68b2e689c8b933ad015d95ad6bee7fd

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
6KB

MD5
eb6696a4b72555e8386da326f1ef76d5

SHA1
b897c6dad8dfbcf8dcaa05c52a7d574a64f67066

SHA256
0d4204b930cb26436e3de7c64899de8b11035821fcb8416d4789d09753c42f98

SHA512
6e70bf68f0eeb518b817ae7f0d7c2086c210e4d8c8a6a13b78dd9eb739f045dfb0fd907a884f7b89c50bb9ea37ed8215a8a0aa15896136f5444d246e4fd4d2a3

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
7KB

MD5
10e2b8e9b7273e1ad5a8909a9b2b6bfd

SHA1
c79baff1d9b756cf7af0f703e8225a175b2bae6f

SHA256
04855ee563cace1377afa05a9d4e5fd40c6fe521e996e402d9d9c9d93f5f8b47

SHA512
ab17adcfaa8ec9e55a932589d8ea63336831306bf02a65aa4902b48cbb79efcd5ab4a7caf493124f46380ba59fb0b56ed8898a6f972cf4e3adf054954934b6ea

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
7KB

MD5
85d0acd7f35314b59162523c398c9f2d

SHA1
b99bc4e964768920f2deb9c77f11d1c4dc877546

SHA256
22159db5a5af735048a5889c8ae36990c1cd1dca0c48350bb242ec1a6aa4c107

SHA512
718bb661e113c246e184b5fe0e424819f4c3b704db5b72845e1fe64fb1951df6126347af20504fdef42fda078296c7838888d880322861b164b67117c93f4230

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
8KB

MD5
1b389bd1545563bd41ac96fc0b7552bb

SHA1
7bf0d94792dcf0b140f6f409b4fc5d77c01f96ae

SHA256
4c45c0c035fe50c6187eb41fcdc8a72ae658160a66954a713fb975ea3cbfdfa5

SHA512
79cd490d3759f0df3e834ab94944c7aec062f57408759d769bb4f481b5b715f4b0231d074260ac801dc5d9d22df82704aee544f68d9979d10adf6afcd134a1a6

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
9KB

MD5
2e33a17cfa85d8d845cf88dc9b9cf31d

SHA1
17feee4304c1763c0b0a824c243e3b5519f28df6

SHA256
d49d43c6ffaaf44b298db28b4f2bcafbf59033ed060fc8148a83c37fa6940d7b

SHA512
1e3f1c8e319bb232342caafd77733ff91c5e8ed2617cdb0e24a4d7d7bcce57a7f5e621fb63e7adc80201545d9cc58848fa9b5395c6a367d8119eae128ed6c257

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
9KB

MD5
da7e199a2043999e61d66edfd18830a0

SHA1
4d94da184511a340f923303292b1ec732104523f

SHA256
8b23fe078ff52fb31b2df543ab5139418c574d869bd25f868b75cdd326398f87

SHA512
71ac32f2ca44436f712f6188dd30d5f91ac9536c7b1cb73c405d90483c022eb2ba7846f3f92d344ec1eadc20090354e024a9d880e359e333d3e78f42a85824af

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
9KB

MD5
0f47edb00836d36c3737c65c5f0330a0

SHA1
6a2b5e0ebb75083da8833939018d303f5c935103

SHA256
f578b67bbc50421f3012f819e8de478a647c993b3d877b27a8f35694b1ea0835

SHA512
336c62e79eda043a273f990ee127243f9ba7d87fabc00addd665bf7bca09e9ab26eccaf29045dace3c646adb27afd03b63b6af6f678eaa4332f9c2ecd9904d8c

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
9KB

MD5
965e3f1d499a31d4b8363dc27f7ffe1c

SHA1
50ec01a1f9c755044de7b8512d012f399a97ecda

SHA256
38823cdcd7b3656008559241f91187487daf004bca64706de712bcdf9bf0c51c

SHA512
0e2a1eb1b6b6a7af9239d3128e80386d0536ce53d9528cf35226a29341ad6942cf60557b8b58ae6081d945218ca0023229d3e4dae56337720f63ce69b6e4a581

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
9KB

MD5
609c647d1ef1d472284573b2058538ce

SHA1
e0b0fa20a38c487e68856b2885c16cd9649c4983

SHA256
fbc99afb30738061c36025f87b03ca015275ff6f999497bbba0a25fe83301c23

SHA512
d7f1bd71e1093059d44f7ee57d2773877c1dd9cbaca3decc05a47d92bd768c58949da6d4eb78cf2bc2f63e2f9466b30e4223804e127a9249777abcce37ba4de5

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
10KB

MD5
88a2e1705aac8962c01e2ba96aa71043

SHA1
b20e9f4b40a422b0a0d4cd5a4fcc0ce222ca9ca1

SHA256
d0b7af0807994dc5e344645becb554a33d60d5de1a07805390dba29889bcb108

SHA512
3d89585c4dd8f81b26c4759f0b39cc01add6642bea60dcd90b4516963f7749dc0f6747da1374c68bffb628cff6ca6fcd8b1b7b1e9dfef54f7a9e59d636eece68

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
12KB

MD5
cd6c837cb9a6874c8a84f2f45969b9e7

SHA1
22c0f535342f15c6277ad4e23b11828d8e11ae64

SHA256
1189c60e9753f87ccd3e312666b03720615724ec6391f5fe79901ed10359f7cb

SHA512
c7517d314ce2a7c73fb3353556ca2102125ebe8da32a64b89378ae0863f3987f02006989b5ef7189836b044c8ff7ffa5dd883c154dd3948075d52d5d0bdcc580

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
12KB

MD5
ad41046f2145b408c7a28dc361d9c3db

SHA1
94b3831988728cd10df13b979116180314c28049

SHA256
5436f4b556d81320efdc444bccdaf17987fb72493428b2cb76a51f2e6e66f4bd

SHA512
cc1e9a5563b2178b35f80b220d80a60939683a13b47291b791683074c68309bf3e8277715e400f0efd41003d6acb8c1d75610ce811669b945cf05905a8100e73

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
2KB

MD5
cd79aaf5a08a169112299c026d5a23ca

SHA1
96870b3aec7a0546101bf0d940306323ce15aef8

SHA256
6381fe3718d8916f20dce5963044a7ffc8f6f7c87da323fc2ce3c2312e27aa8c

SHA512
8e02353614be4071cfc9d12b6c660826e889ff1f9cb54842deddf5b1da2d2ec33ff9f53dd1b0afcf8dfac4e929383bd5e4d012bf202c5f30d07fb6efcf291bc8

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
4KB

MD5
7219d716fd8e592885b757df975b170e

SHA1
bf3e500a688809c552ee220fb0f300770cb23520

SHA256
60429994d37bc104920aa04513f155d713acc7e20d73a49124619d40d8dc4abb

SHA512
7fa984f8447f9b97c63269dd3918cc27e0a6f70076bf2459d086af462d1531602486b4b48a7848366fd2d8873d235bc652006dc4d8763b419da75b0d431daf53

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
4KB

MD5
bc2d42f425062f0e6d1dd704e2eab67b

SHA1
f03aa7265d9b791a427c46359532fe8db0bac9bf

SHA256
95907ce0964b63820e9abd034e297626ce908653e5af9a4c86631f0d7bcaf202

SHA512
1c80e0f6f880545d975c663f4440313f4a112129712014cc8eb7ab2464ab7e5238008c26ab138646baaba8e4944ca44931c7817071161f71f98011db1f841402

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
5KB

MD5
bb380c59219f21be4f1ca1f0c39d026a

SHA1
d30d2c745feaf0e947ba97cfe1276a9e79a7d3d0

SHA256
152228427f60020f84509eda5cf26880e7b619c50d65158d212012d0d0a0d176

SHA512
6794908230e3c43373f0f2b89b3f739644d4675ab885ed4ab4eb1555355175c5a7dcf2d5d03c09c0a12b42df7efb25339ca8856a692708f08799935d809116d2

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log

Filesize
5KB

MD5
ebdb2c663b150999d853285d115cbbdc

SHA1
4ac35a243fc88d30ba0dba3f2d8e0a84913f145a

SHA256
e06ed7912bd5b57d1c8048faa65ab158d920283e8f789a8b763a17caf7e3fa8f

SHA512
fbd78c6adcce3786aff28ac4dc54b55f9fa2e1aae73349e3da1d7b556a214d4916b0ccb639ca2701a5f51d546a7c385ca0fa4e38b927260d03134524f8a2683d

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

Filesize
733B

MD5
566aa26b47bb084431f6c5596cb772aa

SHA1
6f729b68822e0c8ac93308b884f9a6c41cb3b54b

SHA256
e8c2456308f86083c1839fa79672e1f14ac9f0fa6a348d56ef213f1546f883ca

SHA512
751c931a01ac39c86b1ae4fef2df290430a1d378cf647ac9ac11e6e2baf0232d8093e96aa04261f619e5e04c631abdb98d9e9c21cd3dde58db7cc1cdacd2a101

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

Filesize
813B

MD5
00294dc29af1ae3cd41e909288d6be2e

SHA1
fab97480cb329c8b971b47a13d7e3ed1459db293

SHA256
96c51569fd86aa2c267add869bba33a3980ad38766c251e8b9ea0f4e0dca0470

SHA512
d5f50d14c6341ce6ad38884fa30dc6d6da544a2eec1e98b16f684812c187903bf9e04801dd2e10b153376bcd44ac90c4e7c477c6761b159e11cf7b0379f5b805

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

Filesize
868B

MD5
80ae414a234cd6567db3fae6c5b4b456

SHA1
53e3940217581a1d5d7baafa17928e7d5315e2e3

SHA256
522c7423411bf56c9e75ea63125c59ba742efbcaf3e1fd57d5c3b4bc487250fb

SHA512
2527a3fb70a085b351c518f832130b484375fe138a779884e5db66bd3e0db3583735cc27e7e3ee278cdfcc703b468a61f6409e7277a57b29833995ff18e374d0

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

Filesize
921B

MD5
67bc508c77abf0eca882aa11d77e5850

SHA1
9d3fe6541742ced9413f7000af86f986ed183408

SHA256
9112fbf57cf88e3a53bb3756cc9dc175a9ec9d019f6609913f5dccfe166269ba

SHA512
a90e1fe1ac999b5385912c23137750a19cd26126854e0508dd7f3f4cda51c2f5279baa26d9041f6c43f19aca3f029fce3e1b651a89a604bd4d6d83cb1fa0f250

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

Filesize
344B

MD5
17f9d9445cf1891c7818e8e1790df78f

SHA1
50f2374c5225f662c600054ffd28d282c1dbc360

SHA256
df6609dc46c3625e644b48206f93ca82e865821d68c21bb90fc0bca218a773de

SHA512
401c3399b8078a82ccd9782d1ffcb797712902192619e4fbe7219df2cea372278854d0872b29b5528ae26ddf92bd22d50765779b4740231c48172b95756693fb

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log

Filesize
685B

MD5
6d4aa1f257692fd542975a9eefbd111f

SHA1
6392a110fbff789bc056188197b169881d42fd39

SHA256
25051750a767d8f15628d0bc33ee525f98384a2d824961e71284c0d278e6b59a

SHA512
323c41174551758ef17ccb36046006d68680e23e8d35424ecb87065cbfca625c1ee0a802ad4ee4080186d535122a727cad7f9a29a294e1cfb805df32915a263f

Download Submit
\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe

Filesize
3.9MB

MD5
735ef1b70fad1fba9793abd27a803803

SHA1
0e082f539a1e9fc9fca3141613e813fc2e113779

SHA256
6881582e0dc0dcdcb9009b6cce6a0ba369d2372a7405dcbad6ce8d9425fcb68b

SHA512
4edeebc090af8feba67d04ddb44ad84f36dcc3a2918f3166ade99ab04422ccb0a4f4785ff95f7f7fe4319766f73128907a373b2a2c018eb5771a519936b6165e

Download Submit
memory/2908-35-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download