File name:

Support-LogMeInRescue (11).exe

Full analysis: https://app.any.run/tasks/125643e4-0219-4bd3-9fea-7ef7be7b1030
Verdict: Malicious activity
Analysis date: November 02, 2023, 13:41:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

892140E61C390EB879360247A72E289C

SHA1:

0778DF6ECCE95D76EB13BC83669F0E67D778D3E7

SHA256:

1B667FA48CB513070F912CD2A17F4768F782A349A6F9D66AC3D63F14B1C49441

SSDEEP:

98304:9rLuZlRy/WRz66EXL2poe+Z8G1qEz7kdotjGKs07kLM61O/zLiaqzxHALCk7Q8w4:Ut6Db5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Support-LogMeInRescue (11).exe (PID: 3376)

  • SUSPICIOUS

    • Reads the Internet Settings

      • LMI_Rescue.exe (PID: 3196)
      • LMI_Rescue_srv.exe (PID: 3544)

    • Reads the Windows owner or organization settings

      • LMI_Rescue_srv.exe (PID: 3544)

    • Reads settings of System Certificates

      • LMI_Rescue_srv.exe (PID: 3544)

  • INFO

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3428)
      • wmpnscfg.exe (PID: 3612)

    • Checks supported languages

      • Support-LogMeInRescue (11).exe (PID: 3376)
      • wmpnscfg.exe (PID: 3428)
      • LMI_Rescue.exe (PID: 3196)
      • LMI_Rescue_srv.exe (PID: 3544)
      • wmpnscfg.exe (PID: 3612)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3428)
      • LMI_Rescue.exe (PID: 3196)
      • LMI_Rescue_srv.exe (PID: 3544)
      • wmpnscfg.exe (PID: 3612)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3428)
      • LMI_Rescue.exe (PID: 3196)
      • LMI_Rescue_srv.exe (PID: 3544)
      • wmpnscfg.exe (PID: 3612)

    • Creates files or folders in the user directory

      • Support-LogMeInRescue (11).exe (PID: 3376)
      • LMI_Rescue.exe (PID: 3196)

    • Checks proxy server information

      • LMI_Rescue.exe (PID: 3196)
      • LMI_Rescue_srv.exe (PID: 3544)

    • Reads Windows Product ID

      • LMI_Rescue_srv.exe (PID: 3544)

    • Process checks are UAC notifies on

      • LMI_Rescue_srv.exe (PID: 3544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:09 11:20:16+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 79872
InitializedDataSize: 2498048
UninitializedDataSize: -
EntryPoint: 0x3c6a
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 7.51.439.2507
ProductVersionNumber: 7.51.439.2507
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: LogMeIn, Inc.
FileDescription: LogMeIn Rescue
FileVersion: 7.51.439
InternalName: Rescue
LegalCopyright: Copyright © 2005-2023 LogMeIn, Inc. US patents pending.
OriginalFileName: LMIRescue.exe
ProductName: LogMeIn Rescue
ProductVersion: 7.51.439
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start support-logmeinrescue (11).exe no specs wmpnscfg.exe no specs lmi_rescue.exe no specs lmi_rescue_srv.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3196"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\LMI_Rescue.exe"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\LMI_Rescue.exeSupport-LogMeInRescue (11).exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.439
Modules
Images
c:\users\admin\appdata\local\logmein rescue applet\lmir0c09d001.tmp\lmi_rescue.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3376"C:\Users\admin\AppData\Local\Temp\Support-LogMeInRescue (11).exe" C:\Users\admin\AppData\Local\Temp\Support-LogMeInRescue (11).exeexplorer.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.439
Modules
Images
c:\users\admin\appdata\local\temp\support-logmeinrescue (11).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3428"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3544"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\LMI_Rescue_srv.exe" -wd "C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\LMI_Rescue_srv.exe
LMI_Rescue.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.439
Modules
Images
c:\users\admin\appdata\local\logmein rescue applet\lmir0c09d001.tmp\lmi_rescue_srv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
3612"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
4 091
Read events
4 071
Write events
12
Delete events
8

Modification events

(PID) Process:(3428) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A10A7D96-F2EF-45EA-8FF7-19F391F5C737}\{857FCC3A-0AE0-40A3-B78C-F5A324CC6E41}
Operation:delete keyName:(default)
Value:
(PID) Process:(3428) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A10A7D96-F2EF-45EA-8FF7-19F391F5C737}
Operation:delete keyName:(default)
Value:
(PID) Process:(3428) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{622543A4-75A1-49AC-B1EB-13369586EEDA}
Operation:delete keyName:(default)
Value:
(PID) Process:(3544) LMI_Rescue_srv.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3612) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{665FB1D5-54E7-4B00-9904-F678937B8C73}\{881BF30A-3F93-454E-99F7-C59F12875CA2}
Operation:delete keyName:(default)
Value:
(PID) Process:(3612) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A10A7D96-F2EF-45EA-8FF7-19F391F5C737}\{881BF30A-3F93-454E-99F7-C59F12875CA2}
Operation:delete keyName:(default)
Value:
(PID) Process:(3612) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A10A7D96-F2EF-45EA-8FF7-19F391F5C737}
Operation:delete keyName:(default)
Value:
(PID) Process:(3612) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{665FB1D5-54E7-4B00-9904-F678937B8C73}
Operation:delete keyName:(default)
Value:
(PID) Process:(3612) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{526E136E-7AC2-4B77-8B06-6434DC660AB8}
Operation:delete keyName:(default)
Value:
Executable files
7
Suspicious files
10
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3376Support-LogMeInRescue (11).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\rahook.dllexecutable
MD5:F3734D88D0B352002751DB57EE66387D
SHA256:6F4893E6CAF159744F860DC2F5F1BD81CCC80C17ED5395C39FAF41DB35B0AF5F
3376Support-LogMeInRescue (11).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\LMI_RescueRC.exeexecutable
MD5:08BDEC4A17AA2CB0699DDACCDE431800
SHA256:3EC8AE416775F62CA72014B730179BC27BCC6B464A2BBD30592D7CDF555C7B7D
3376Support-LogMeInRescue (11).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\Lmi_Rescue_srv.exeexecutable
MD5:38F93CE742E212033808518FC28A56FA
SHA256:D401E360A8241D475F373D0A4B7D5B87A41FC83B7F5409DC6AEEE8EC73DD1179
3376Support-LogMeInRescue (11).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\ra64app.exeexecutable
MD5:8082C0FB169E7CFC1A58DDA7436AF8AF
SHA256:CD971F800F1E8D6F19379228FD0C3B96EF9DC187A7FD7B1FB4A98196BE86B8E3
3376Support-LogMeInRescue (11).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\nvdaControllerClient32.dllexecutable
MD5:64B6AB90921BA108901C47454C1D9282
SHA256:FC096FADE7F44369A748251C1D408FB20648CA07859047E7CF9A93A2942649CF
3376Support-LogMeInRescue (11).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\RescueWinRTLib.dllexecutable
MD5:B1FE60385333FBE77BAE696D326DF27F
SHA256:87167A193AFF345D335480D0012009AF0E349D6C2E07806E72654A4FD04CA867
3376Support-LogMeInRescue (11).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\params.txttext
MD5:624A2C9ABB5B5E72B44FA570C3B7205C
SHA256:5CA6F5CBE8B2A9A663E9DA08DC516FACE47D7C4FB715BC9FB73D0FA688A557B3
3376Support-LogMeInRescue (11).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\logo.bmpbinary
MD5:CDB31BAAACCACC9273484427F39AA5CB
SHA256:003AA4DEB3D5184FB7B618DF99B680611CBCFA3D764D5A2A210FF4CAE5EC96B8
3376Support-LogMeInRescue (11).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\rescue.icoimage
MD5:8AD28E79941CE3E002804DFE1722EA87
SHA256:63424E176B75642EBAC9E5452ECCC8C6956266DACC0AE4388D636D5BEE5E7933
3196LMI_Rescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0C09D001.tmp\session.logtext
MD5:81051BCC2CF1BEDF378224B0A93E2877
SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
3544
LMI_Rescue_srv.exe
158.120.16.114:443
control.rsc-app24-05.logmeinrescue.com
ORACLE-BMC-31898
DE
unknown

DNS requests

Domain
IP
Reputation
rescue-data-center.logmein-gateway.com
  • 216.219.114.24
unknown
rescue-list.24.logmein-gateway.com
unknown
control.rsc-app24-05.logmeinrescue.com
  • 158.120.16.114
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Support-LogMeInRescue (11).exe