File name:

Support-LogMeInRescue.exe

Full analysis: https://app.any.run/tasks/a2a585d3-7c6f-4bbb-b1b6-42c5cc702542
Verdict: Malicious activity
Analysis date: February 06, 2024, 18:04:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4FD2C55376DC70F9305B6BC072A44081

SHA1:

2333D1E308B0FC2D5F60297BB8510A2184F5955D

SHA256:

3E7152A6066A285E13226234D2D9C1EE9034C8B64135EC9871FCAD9E71CA13DC

SSDEEP:

98304:2rLX/fjIfIJDg/wEhf9h89tx89umeDgW9WdqZfXxsgmTWVu5LAuAIxk/090xQR2K:NKAxcax

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Support-LogMeInRescue.exe (PID: 1652)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Support-LogMeInRescue.exe (PID: 1652)

    • Reads the Internet Settings

      • LMI_Rescue.exe (PID: 1632)
      • LMI_Rescue_srv.exe (PID: 2736)

    • Reads the Windows owner or organization settings

      • LMI_Rescue_srv.exe (PID: 2736)

    • Reads settings of System Certificates

      • LMI_Rescue_srv.exe (PID: 2736)

  • INFO

    • Checks supported languages

      • LMI_Rescue.exe (PID: 1632)
      • Support-LogMeInRescue.exe (PID: 1652)
      • LMI_Rescue_srv.exe (PID: 2736)

    • Reads the computer name

      • LMI_Rescue.exe (PID: 1632)
      • LMI_Rescue_srv.exe (PID: 2736)

    • Creates files or folders in the user directory

      • Support-LogMeInRescue.exe (PID: 1652)
      • LMI_Rescue.exe (PID: 1632)

    • Reads the machine GUID from the registry

      • LMI_Rescue.exe (PID: 1632)
      • LMI_Rescue_srv.exe (PID: 2736)

    • Checks proxy server information

      • LMI_Rescue.exe (PID: 1632)
      • LMI_Rescue_srv.exe (PID: 2736)

    • Reads Windows Product ID

      • LMI_Rescue_srv.exe (PID: 2736)

    • Process checks whether UAC notifications are on

      • LMI_Rescue_srv.exe (PID: 2736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:08 10:23:42+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 79872
InitializedDataSize: 2498560
UninitializedDataSize: -
EntryPoint: 0x3c6a
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 7.51.440.2510
ProductVersionNumber: 7.51.440.2510
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: LogMeIn, Inc.
FileDescription: LogMeIn Rescue
FileVersion: 7.51.440
InternalName: Rescue
LegalCopyright: Copyright © 2005-2023 LogMeIn, Inc. US patents pending.
OriginalFileName: LMIRescue.exe
ProductName: LogMeIn Rescue
ProductVersion: 7.51.440
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start support-logmeinrescue.exe lmi_rescue.exe no specs lmi_rescue_srv.exe

Process information

PID
CMD
Path
Indicators
Parent process
1632"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\LMI_Rescue.exe"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\LMI_Rescue.exeSupport-LogMeInRescue.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.440
Modules
Images
c:\users\admin\appdata\local\logmein rescue applet\lmir0fe24001.tmp\lmi_rescue.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1652"C:\Users\admin\AppData\Local\Temp\Support-LogMeInRescue.exe" C:\Users\admin\AppData\Local\Temp\Support-LogMeInRescue.exe
explorer.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.440
Modules
Images
c:\users\admin\appdata\local\temp\support-logmeinrescue.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2736"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\LMI_Rescue_srv.exe" -wd "C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\LMI_Rescue_srv.exe
LMI_Rescue.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.440
Modules
Images
c:\users\admin\appdata\local\logmein rescue applet\lmir0fe24001.tmp\lmi_rescue_srv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
Total events
4 039
Read events
4 025
Write events
14
Delete events
0

Modification events

(PID) Process:(2736) LMI_Rescue_srv.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
7
Suspicious files
10
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1652Support-LogMeInRescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\Lmi_Rescue_srv.exeexecutable
MD5:4EE5763381A9EBF2673707B24C99BFCB
SHA256:E7D547B4F7497E0AB289E47523D39720AF9F4C41DAA9582B62AFEFF5D5F3AD98
1652Support-LogMeInRescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\rahook.dllexecutable
MD5:6D66D03217FD2B860EFD705903E08F24
SHA256:887F5BE572899CD5CE665060B16198A7E02FB93F8833EBFDF6E6E6356773016A
1652Support-LogMeInRescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\nvdaControllerClient32.dllexecutable
MD5:28BA45D27EFAD6EF95FD0D8DDE080830
SHA256:BA9D4503515AA3C35891A6DE1F511421002E0EE5CCA72D1AC899BA3A144A5C5A
1632LMI_Rescue.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EC-Council.lnkbinary
MD5:D5DBC37B64635451912C6B7C27B6D235
SHA256:90B036346BA6460C50545840F32C8355110EF0FAF490010A243334A353623A27
1632LMI_Rescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\rescue.infobinary
MD5:FE853CE36D86711EF2F0966049AC6F2F
SHA256:BAB1053030B2C88CC64B4D5C44888239870248BE958761E0FC01C128204C44F9
1632LMI_Rescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\rescue.logbinary
MD5:3F1EC640E0588BD666BF84C714447F72
SHA256:ECFDC5DF6C94AC465ABB920214DB1415A31F2329F46DAF2E0D606CEC1D32DBEA
2736LMI_Rescue_srv.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\chatlog.datbinary
MD5:7B6B4E22C632313C51BC3C5ED53E13C0
SHA256:F77F4C6FC588B7F46A5010B42ADA0C2F48CB8AFA4AFBCA015FB4901F82715145
1632LMI_Rescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\chatlog.rtfbinary
MD5:9D4A0E2B428DBA3CD6E2B7EAC522FA55
SHA256:A47FF0BD402F3CC6C955A464A6B6919EFF7F67CE32C23ECAC6E9FDF1FD0E216D
1632LMI_Rescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\chatlog.rtf.tmpbinary
MD5:9D4A0E2B428DBA3CD6E2B7EAC522FA55
SHA256:A47FF0BD402F3CC6C955A464A6B6919EFF7F67CE32C23ECAC6E9FDF1FD0E216D
1652Support-LogMeInRescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\params.txttext
MD5:EB20299DDFD782C56D5A831D544EA7BE
SHA256:AE3159C1E3D0F64559400BF6CE493FB18991B9F3CD4FF481EB42EB9CC8A8A719
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
10
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2736
LMI_Rescue_srv.exe
158.120.16.94:443
control.rsc-app24-02.logmeinrescue.com
ORACLE-BMC-31898
DE
unknown
2736
LMI_Rescue_srv.exe
158.120.16.91:443
control.rsc-app24-03.logmeinrescue.com
ORACLE-BMC-31898
DE
unknown

DNS requests

Domain
IP
Reputation
rescue-data-center.logmein-gateway.com
  • 216.219.114.24
unknown
rescue-list.24.logmein-gateway.com
unknown
control.rsc-app24-02.logmeinrescue.com
  • 158.120.16.94
unknown
control.rsc-app24-03.logmeinrescue.com
  • 158.120.16.91
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Support-LogMeInRescue.exe