File name:

Support-LogMeInRescue (2).exe

Full analysis: https://app.any.run/tasks/e4b0db6a-8b3f-4b6e-b11a-ae82bd355b7b
Verdict: Malicious activity
Analysis date: October 20, 2023, 15:18:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

70CED57DC17DD7AE8636F94C7BFEEC61

SHA1:

91E4A4A47DF5B3692ED950AF800B0EB8016D9B9D

SHA256:

D4361F7F0C7603FD97E3E32C6A76072703ADB940A30547817053B34D4350C070

SSDEEP:

49152:nTcEAcUUwwNrCndZ8GIJ4zNR3jkhc6HVqw7VztTRf+SfbM0DNR9dUra:nTic3XOndVX33677V2SNDG2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Support-LogMeInRescue (2).exe (PID: 2752)
      • LMI_Rescue_srv.exe (PID: 612)

    • Application was dropped or rewritten from another process

      • LMI_Rescue_srv.exe (PID: 3204)
      • LMI_Rescue.exe (PID: 3184)

    • Loads dropped or rewritten executable

      • ctfmon.exe (PID: 1708)
      • LMI_Rescue.exe (PID: 3184)

  • SUSPICIOUS

    • Reads the Internet Settings

      • LMI_Rescue.exe (PID: 3184)
      • LMI_Rescue_srv.exe (PID: 3204)

    • Reads the Windows owner or organization settings

      • LMI_Rescue_srv.exe (PID: 3204)

    • Application launched itself

      • LMI_Rescue_srv.exe (PID: 3204)

    • Executes as Windows Service

      • LMI_Rescue_srv.exe (PID: 3612)

    • Executing commands from a ".bat" file

      • LMI_Rescue_srv.exe (PID: 3612)

    • Starts CMD.EXE for commands execution

      • LMI_Rescue_srv.exe (PID: 3612)

  • INFO

    • Checks supported languages

      • LMI_Rescue.exe (PID: 3184)
      • Support-LogMeInRescue (2).exe (PID: 2752)
      • LMI_Rescue_srv.exe (PID: 3204)

    • Reads the computer name

      • LMI_Rescue.exe (PID: 3184)
      • LMI_Rescue_srv.exe (PID: 3204)

    • Creates files or folders in the user directory

      • Support-LogMeInRescue (2).exe (PID: 2752)
      • LMI_Rescue.exe (PID: 3184)

    • Reads the machine GUID from the registry

      • LMI_Rescue.exe (PID: 3184)
      • LMI_Rescue_srv.exe (PID: 3204)

    • Checks proxy server information

      • LMI_Rescue.exe (PID: 3184)
      • LMI_Rescue_srv.exe (PID: 3204)

    • Reads Windows Product ID

      • LMI_Rescue_srv.exe (PID: 3204)

    • Process checks are UAC notifies on

      • LMI_Rescue_srv.exe (PID: 3204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 7.51.437
ProductName: LogMeIn Rescue
OriginalFileName: LMIRescue.exe
LegalCopyright: Copyright © 2005-2023 LogMeIn, Inc. US patents pending.
InternalName: Rescue
FileVersion: 7.51.437
FileDescription: LogMeIn Rescue
CompanyName: LogMeIn, Inc.
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 7.51.437.2501
FileVersionNumber: 7.51.437.2501
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x3c6a
UninitializedDataSize: -
InitializedDataSize: 2502144
CodeSize: 79872
LinkerVersion: 14.29
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2023:05:25 16:26:42+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
9
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start support-logmeinrescue (2).exe no specs lmi_rescue.exe no specs lmi_rescue_srv.exe no specs explorer.exe no specs ctfmon.exe no specs lmi_rescue_srv.exe lmi_rescue_srv.exe no specs bcdedit.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
612"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\LMI_Rescue_srv.exe" -regrunsvc -wd "C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp" -sid 6b41b12d-0372-de76-7a80-38eee4e2fdf3C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\LMI_Rescue_srv.exe
LMI_Rescue_srv.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
HIGH
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.437
1400C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1708C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2440C:\Windows\system32\bcdedit.exe /deletevalue safebootC:\Windows\System32\bcdedit.exeLMI_Rescue_srv.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2752"C:\Users\admin\AppData\Local\Temp\Support-LogMeInRescue (2).exe" C:\Users\admin\AppData\Local\Temp\Support-LogMeInRescue (2).exeexplorer.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.437
Modules
Images
c:\users\admin\appdata\local\temp\support-logmeinrescue (2).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3084"C:\Windows\system32\cmd.exe" /S/C "C:\Program Files\LMIR0E568001.tmp.bat"C:\Windows\System32\cmd.exeLMI_Rescue_srv.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3184"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\LMI_Rescue.exe"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\LMI_Rescue.exeSupport-LogMeInRescue (2).exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.437
Modules
Images
c:\users\admin\appdata\local\logmein rescue applet\lmir0e55b001.tmp\lmi_rescue.exe
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
3204"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\LMI_Rescue_srv.exe" -wd "C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp"C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\LMI_Rescue_srv.exeLMI_Rescue.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.437
Modules
Images
c:\users\admin\appdata\local\logmein rescue applet\lmir0e55b001.tmp\lmi_rescue_srv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
3612"C:\Program Files\LogMeIn Rescue Applet\LMIR0E568001.tmp\LMI_Rescue_srv.exe" -service -sid 6b41b12d-0372-de76-7a80-38eee4e2fdf3 -wd "C:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp"C:\Program Files\LogMeIn Rescue Applet\LMIR0E568001.tmp\LMI_Rescue_srv.exeservices.exe
User:
SYSTEM
Company:
LogMeIn, Inc.
Integrity Level:
SYSTEM
Description:
LogMeIn Rescue
Exit code:
0
Version:
7.51.437
Total events
1 953
Read events
1 950
Write events
2
Delete events
1

Modification events

(PID) Process:(1400) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F6D6788197A75D498472ACE88906AC8D0000000002000000000010660000000100002000000048832D3FD0459F35F292D4F0571B992C6EB9F500D4ED7BC3B99927FC5331D217000000000E80000000020000200000003EFBFF3AEC091353AF9E58D48DF2D06E9D1BDED94E4937159293C20E513DDF0F3000000087034FE3522EDDAC6E83C331CAE7E3CB92B187260C4DAD8D1C31F9039AB30BE9E56E6C6EE2A54DD7C0FCB3257D6FF55F4000000040B806FFF8B32ABD66EABA7F35A86503B0F300E1B9A976FC4B3F6328F133A31ACB461ADFC86BE84974CB3AD9119C225504F24589D1CDC1655DA54BABE9CEF265
(PID) Process:(1400) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts
Operation:delete keyName:(default)
Value:
(PID) Process:(1400) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
14
Suspicious files
9
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2752Support-LogMeInRescue (2).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\LMI_RescueRC.exeexecutable
MD5:3F336E115828757EDAEB098521E145B7
SHA256:D410F234BFB26FA8BC3A2E24F81455575377C3A91A7B7AD5697A63442FD1049C
2752Support-LogMeInRescue (2).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\rahook.dllexecutable
MD5:17F1BDF211C34FD19AAEB9F7E03F7937
SHA256:D4CCFF953CAFE75BAD8476FD8D81529A34D9CC376215529AAF4EE58C7C02B7FA
2752Support-LogMeInRescue (2).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\LMI_Rescue.exeexecutable
MD5:57621BFB740A226F6C8B1FDA71EE1C8C
SHA256:85760BC19AC546AE89D573E7F43E6252FF80772B3C0F5C91A016708267549B6C
2752Support-LogMeInRescue (2).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\Lmi_Rescue_srv.exeexecutable
MD5:056BD94AEBEBE669147BB38999EDA338
SHA256:3EC89E2896E6E8E102C34D5D0ED0FD0915EF0E3CBBEE0FC1CEDCD7000447CE89
2752Support-LogMeInRescue (2).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\RescueWinRTLib.dllexecutable
MD5:32230C932A691217EBBE59FA95F4E7D0
SHA256:9EE3E0E44DC221B3ADB1B2086FE7AAB6836F98CF8DA6336683D3F43698B0F30F
2752Support-LogMeInRescue (2).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\params.txttext
MD5:E4D7D4CF9AB7E8E3C96AA166E7187E59
SHA256:FB69D0DBA22C75ED64CDDB59D8C3D21514CED1182AD3C394796D6049C032822D
2752Support-LogMeInRescue (2).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\ra64app.exeexecutable
MD5:EEF6AFE8644B1119BDDE383FBDA04381
SHA256:EF88B3950CA3744D6EFE71130B66EDCBDB55B00C70CF21EF0F92949B9C6141E6
2752Support-LogMeInRescue (2).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\nvdaControllerClient32.dllexecutable
MD5:55AC399244B14C984728D2E072CDDD1B
SHA256:EE79DE7CF59A3EEF00E4A10B0A1247A6F96D6944ACD59F948ACCAB1562F797DD
2752Support-LogMeInRescue (2).exeC:\Users\admin\AppData\Local\LogMeIn Rescue Applet\LMIR0E55B001.tmp\logo.bmpimage
MD5:69971E61740C78ADD23417C524CBC326
SHA256:9E4803EF8A15ECF8CD338A0F1EDD746C2AE1289E43832F869E09033D2FE5A257
612LMI_Rescue_srv.exeC:\Program Files\LogMeIn Rescue Applet\LMIR0E568001.tmp\LMI_Rescue_srv.exeexecutable
MD5:056BD94AEBEBE669147BB38999EDA338
SHA256:3EC89E2896E6E8E102C34D5D0ED0FD0915EF0E3CBBEE0FC1CEDCD7000447CE89
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
unknown
192.168.100.255:137
unknown
158.120.16.116:443
control.rsc-app24-01.logmeinrescue-enterprise.com
ORACLE-BMC-31898
DE
unknown

DNS requests

Domain
IP
Reputation
rescue-data-center.logmein-gateway.com
  • 216.219.114.24
unknown
rescue-list.24.logmein-gateway.com
unknown
control.rsc-app24-01.logmeinrescue-enterprise.com
  • 158.120.16.116
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Support-LogMeInRescue (2).exe