File name:

Support-LogMeInRescue.exe

Full analysis: https://app.any.run/tasks/a2a585d3-7c6f-4bbb-b1b6-42c5cc702542
Verdict: Malicious activity
Analysis date: February 06, 2024, 18:04:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4FD2C55376DC70F9305B6BC072A44081

SHA1:

2333D1E308B0FC2D5F60297BB8510A2184F5955D

SHA256:

3E7152A6066A285E13226234D2D9C1EE9034C8B64135EC9871FCAD9E71CA13DC

SSDEEP:

98304:2rLX/fjIfIJDg/wEhf9h89tx89umeDgW9WdqZfXxsgmTWVu5LAuAIxk/090xQR2K:NKAxcax

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Support-LogMeInRescue.exe (PID: 1652)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Support-LogMeInRescue.exe (PID: 1652)

    • Reads settings of System Certificates

      • LMI_Rescue_srv.exe (PID: 2736)

    • Reads the Internet Settings

      • LMI_Rescue.exe (PID: 1632)
      • LMI_Rescue_srv.exe (PID: 2736)

    • Reads the Windows owner or organization settings

      • LMI_Rescue_srv.exe (PID: 2736)

  • INFO

    • Checks supported languages

      • Support-LogMeInRescue.exe (PID: 1652)
      • LMI_Rescue.exe (PID: 1632)
      • LMI_Rescue_srv.exe (PID: 2736)

    • Reads the computer name

      • LMI_Rescue.exe (PID: 1632)
      • LMI_Rescue_srv.exe (PID: 2736)

    • Reads the machine GUID from the registry

      • LMI_Rescue.exe (PID: 1632)
      • LMI_Rescue_srv.exe (PID: 2736)

    • Creates files or folders in the user directory

      • LMI_Rescue.exe (PID: 1632)
      • Support-LogMeInRescue.exe (PID: 1652)

    • Reads Windows Product ID

      • LMI_Rescue_srv.exe (PID: 2736)

    • Checks proxy server information

      • LMI_Rescue_srv.exe (PID: 2736)
      • LMI_Rescue.exe (PID: 1632)

    • Process checks whether UAC notifications are on

      • LMI_Rescue_srv.exe (PID: 2736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:08 10:23:42+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 79872
InitializedDataSize: 2498560
UninitializedDataSize: -
EntryPoint: 0x3c6a
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 7.51.440.2510
ProductVersionNumber: 7.51.440.2510
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: LogMeIn, Inc.
FileDescription: LogMeIn Rescue
FileVersion: 7.51.440
InternalName: Rescue
LegalCopyright: Copyright © 2005-2023 LogMeIn, Inc. US patents pending.
OriginalFileName: LMIRescue.exe
ProductName: LogMeIn Rescue
ProductVersion: 7.51.440
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start support-logmeinrescue.exe lmi_rescue.exe no specs lmi_rescue_srv.exe

Process information

PID
CMD
Path
Indicators
Parent process
1632"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\LMI_Rescue.exe"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\LMI_Rescue.exeSupport-LogMeInRescue.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.440
Modules
Images
c:\users\admin\appdata\local\logmein rescue applet\lmir0fe24001.tmp\lmi_rescue.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1652"C:\Users\admin\AppData\Local\Temp\Support-LogMeInRescue.exe" C:\Users\admin\AppData\Local\Temp\Support-LogMeInRescue.exe
explorer.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.440
Modules
Images
c:\users\admin\appdata\local\temp\support-logmeinrescue.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2736"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\LMI_Rescue_srv.exe" -wd "C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\LMI_Rescue_srv.exe
LMI_Rescue.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.440
Modules
Images
c:\users\admin\appdata\local\logmein rescue applet\lmir0fe24001.tmp\lmi_rescue_srv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
Total events
4 039
Read events
4 025
Write events
14
Delete events
0

Modification events

(PID) Process:(2736) LMI_Rescue_srv.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
7
Suspicious files
10
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1632LMI_Rescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\rescue.logbinary
MD5:3F1EC640E0588BD666BF84C714447F72
SHA256:ECFDC5DF6C94AC465ABB920214DB1415A31F2329F46DAF2E0D606CEC1D32DBEA
1652Support-LogMeInRescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\rescue.icoimage
MD5:8AD28E79941CE3E002804DFE1722EA87
SHA256:63424E176B75642EBAC9E5452ECCC8C6956266DACC0AE4388D636D5BEE5E7933
1652Support-LogMeInRescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\RescueWinRTLib.dllexecutable
MD5:1796E545759B87574D7828970E1E6DCB
SHA256:FA69C01041A06EC9EE98973F1D02545B679AF1D25FF3514C6ADD6412609DB175
1652Support-LogMeInRescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\rahook.dllexecutable
MD5:6D66D03217FD2B860EFD705903E08F24
SHA256:887F5BE572899CD5CE665060B16198A7E02FB93F8833EBFDF6E6E6356773016A
1652Support-LogMeInRescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\ra64app.exeexecutable
MD5:4B31A2506688D56CCF4255EB65A02BCF
SHA256:EAD741CDAB1777CB8FAA2E20B985158046B403BF705C37AF8E110DEF393D133F
1632LMI_Rescue.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EC-Council.lnkbinary
MD5:D5DBC37B64635451912C6B7C27B6D235
SHA256:90B036346BA6460C50545840F32C8355110EF0FAF490010A243334A353623A27
1652Support-LogMeInRescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\nvdaControllerClient32.dllexecutable
MD5:28BA45D27EFAD6EF95FD0D8DDE080830
SHA256:BA9D4503515AA3C35891A6DE1F511421002E0EE5CCA72D1AC899BA3A144A5C5A
2736LMI_Rescue_srv.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\chatlog.datbinary
MD5:7B6B4E22C632313C51BC3C5ED53E13C0
SHA256:F77F4C6FC588B7F46A5010B42ADA0C2F48CB8AFA4AFBCA015FB4901F82715145
1652Support-LogMeInRescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\logo.bmpbinary
MD5:CDB31BAAACCACC9273484427F39AA5CB
SHA256:003AA4DEB3D5184FB7B618DF99B680611CBCFA3D764D5A2A210FF4CAE5EC96B8
1632LMI_Rescue.exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0FE24001.tmp\rescue.infobinary
MD5:FE853CE36D86711EF2F0966049AC6F2F
SHA256:BAB1053030B2C88CC64B4D5C44888239870248BE958761E0FC01C128204C44F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
10
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2736
LMI_Rescue_srv.exe
158.120.16.94:443
control.rsc-app24-02.logmeinrescue.com
ORACLE-BMC-31898
DE
unknown
2736
LMI_Rescue_srv.exe
158.120.16.91:443
control.rsc-app24-03.logmeinrescue.com
ORACLE-BMC-31898
DE
unknown

DNS requests

Domain
IP
Reputation
rescue-data-center.logmein-gateway.com
  • 216.219.114.24
unknown
rescue-list.24.logmein-gateway.com
unknown
control.rsc-app24-02.logmeinrescue.com
  • 158.120.16.94
unknown
control.rsc-app24-03.logmeinrescue.com
  • 158.120.16.91
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Support-LogMeInRescue.exe