Edit tour

Windows Analysis Report
rustdesk-1.1.9.exe

Overview

General Information

Sample Name:	rustdesk-1.1.9.exe
Analysis ID:	668048
MD5:	6784be19a5f870544c8e564c768eff23
SHA1:	177c876064ed39e9c06c187176f9f783833f1e1d
SHA256:	b654cb0e45016773edacb532cddfaa3faf677adbbb3bd7b61e31ed0ec23e0c91
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Installs a raw input device (often for capturing keystrokes)

PE file contains strange resources

May sleep (evasive loops) to hinder dynamic analysis

Detected TCP or UDP traffic on non-standard ports

PE file contains sections with non-standard names

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

rustdesk-1.1.9.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\rustdesk-1.1.9.exe" MD5: 6784BE19A5F870544C8E564C768EFF23)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: rustdesk-1.1.9.exe

Static PE information: certificate valid

Source: rustdesk-1.1.9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\zhouh\Desktop\hbb\target\release\deps\rustdesk.pdb source: rustdesk-1.1.9.exe

Source: global traffic	TCP traffic: 192.168.2.3:49745 -> 216.128.140.17:21116
Source: global traffic	UDP traffic: 192.168.2.3:53804 -> 124.70.161.173:21116
Source: global traffic	UDP traffic: 192.168.2.3:53803 -> 18.142.155.14:21116

Source: rustdesk-1.1.9.exe	String found in binary or memory: http://%s:%d;https=https://%s:%dHTTP/1.0Content-Encodingdeflate(V
Source: rustdesk-1.1.9.exe, 00000000.00000002.537157017.00007FF66E1FD000.00000002.00000001.01000000.00000003.sdmp, rustdesk-1.1.9.exe, 00000000.00000000.254647361.00007FF66E1FD000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://%s:%d;https=https://%s:%dHTTP/1.0Content-Encodingdeflate(VHn
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: rustdesk-1.1.9.exe, 00000000.00000002.531206451.0000016B69A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: rustdesk-1.1.9.exe	String found in binary or memory: http://rustdesk.com/privacy
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://admin.rustdesk.comrustdesk.com/api/audit
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://admin.rustdesk.comrustdesk.com/api/auditP
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://developers.google.com/protocol-buffers/
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://developers.google.com/protocol-buffers/docs/proto#options
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://docs.rs/flexi_logger/latest/flexi_logger/error_info/index.html#
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://docs.rs/flexi_logger/latest/flexi_logger/error_info/index.html#(
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://github.com/c-smile/sciter-sdk/blob/master/doc/content/sciter/Event.htm
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://github.com/rust-lang/rust/issues/39364
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://rustdesk.com
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://rustdesk.com/blog/id-relay-set/
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://rustdesk.com/docs/en/manual/linux/#x11-requiredNot
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://rustdesk.com/docs/en/manual/mac/#enable-permissionsN
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://rustdesk.com/docs/ru/manual/mac/#
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://rustdesk.com/docs/zh-cn/manual/mac/#
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://rustdesk.com/docs/zh-tw/manual/mac/#
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://rustdesk.com/privacy
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://sciter.com/docs/content/sciter/Event.htm
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://sciter.com/event-handling/
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://sciter.com/forums/topic/replacecustomize-context-menu/
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: rustdesk-1.1.9.exe	String found in binary or memory: https://stackoverflow.com/questions/5833399/calculating-scroll-inertia-momentum

Source: unknown

DNS traffic detected: queries for: rs-ny.rustdesk.com

Source: rustdesk-1.1.9.exe, 00000000.00000002.537157017.00007FF66E1FD000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: RegisterRawInputDevices

Source: rustdesk-1.1.9.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: rustdesk-1.1.9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe

File created: C:\Users\user\AppData\Roaming\RustDesk

Jump to behavior

Source: rustdesk-1.1.9.exe	String found in binary or memory: -installH3P
Source: rustdesk-1.1.9.exe	String found in binary or memory: --silent-install--before-uninstall
Source: rustdesk-1.1.9.exe	String found in binary or memory: rustdeskFailed to after-install:
Source: rustdesk-1.1.9.exe	String found in binary or memory: msgbox("custom-add-id", translate("Add ID"), <div .form>
Source: rustdesk-1.1.9.exe	String found in binary or memory: msgbox("custom-add-tag", translate("Add Tag"), <div .form>
Source: rustdesk-1.1.9.exe	String found in binary or memory: {handler.show_run_without_install() && <button .button #run-without-install .outline style="margin-left: 2em;">
Source: rustdesk-1.1.9.exe	String found in binary or memory: event click $(#run-without-install) {
Source: rustdesk-1.1.9.exe	String found in binary or memory: --connectindex.html--installinstall.htmlconnection-managercm.htmlnative-remoteremote.htmlWrong command:
Source: rustdesk-1.1.9.exe	String found in binary or memory: --connectindex.html--installinstall.htmlconnection-managercm.htmlnative-remoteremote.htmlWrong command:
Source: rustdesk-1.1.9.exe	String found in binary or memory: application/x-nokia-9000-communicator-add-on-software
Source: rustdesk-1.1.9.exe	String found in binary or memory: application/x-helpfile
Source: rustdesk-1.1.9.exe	String found in binary or memory: application/hlp,application/x-helpfile,application/x-winhelp,application/winhlp
Source: rustdesk-1.1.9.exe	String found in binary or memory: marker-start
Source: rustdesk-1.1.9.exe	String found in binary or memory: animation-start!
Source: rustdesk-1.1.9.exe	String found in binary or memory: <!--StartFragment-->
Source: rustdesk-1.1.9.exe	String found in binary or memory: rtypestylehiddencontentpositionheightwidth_UNKNOWNTTIBUSTRIKESQDELINSBIGSMALLSUBSUPEMSTRONGDFNCODESAMPKBDVARCITEBRINPUTOUTPUTBUTTONSELECTTEXTAREAHTMLAREARICHTEXTPLAINTEXTPTEXT_BEFORE_AFTER_MARKER_SHADEULOLDLDIRMENUPREDIVCENTERBLOCKQUOTEDDDTLIFORMHRSPLITTERH1H2H3H4H5H6ADDRESSAIMGFONTBASEFONTMAPAREAHTMLBODYHEADTABLETDTHTBODYTHEADTFOOTCAPTIONCOLCOLGROUPTRTITLEISINDEXBASESTYLEMETALINKSCRIPTCOMPONENTREACTOROPTIONOPTGROUPOPTIONSWIDGETPARAMOBJECTFIELDSETLEGENDSPANLABELNOBRIFRAMEFRAMEFRAMESETPOPUPINCLUDEPICTURESECTIONARTICLEASIDEHGROUPHEADERFOOTERMAINPAGEFRAMEPAGEBOXNAVTOOLBARMARKPROGRESSMETERTIMEFIGUREFIGCAPTIONDETAILSSUMMARYSVGGPATHRECTCIRCLEELLIPSELINEPOLYLINEPOLYGONSWITCHUSEDEFSMASKRADIALGRADIENTLINEARGRADIENTSTOPVIDEOSOURCECANVAS_SERVICE_FRAGMENT_TOTALUNKNOWNnameidkeyhreftargetforlangstylesetbackgroundbgcolorvspacehspaceborderbordercolorcellpaddingcellspacingfixedrowsfixedcolsfixedlayoutalignvalignaltsizevaluenovalueplaceholdercolornowraprowspancolspanflowminwidthminheightmaxwidthmaxheightfacetabindexcheckedselecteddisabledreadonlycurrentanchormultiplelabelpopupcolsrowstitletitleidroleprototypemaxvalueminvaluemaxlengthcommandstarttooltipexpandedcollapsedvisiblecontenteditablerelaria-labelaria-labelledbyaria-describedbyaria-descriptionmediarxryyviewboxx1y1x2y2cxcyfillfill-opacityfill-rulestrokestroke-widthstroke-linecapstroke-linejoinstroke-miterlimitstroke-dasharraystroke-dashoffsetstroke-opacitymarkermarker-startmarker-midmarker-endstop-colorstop-opacityopacitytext-anchoralignment-baselinedominant-baselinegradientunitsoffsetgradienttransformtransformpointsspellcheckasthemewindow-statedirectiondisplayvisibilityclearfloatfontfont-familyfont-sizefont-stylefont-variantfont-variant-ligaturesfont-variant-capsfont-weightfont-rendering-modeletter-spacingline-heighttext-aligntext-decorationtext-decoration-styletext-decoration-linetext-decoration-colortext-decoration-thicknesstext-indenttext-overflowtext-shadowtext-transformwhite-spacetext-wrapword-wrapword-breaktab-sizetext-selection-colortext-selection-background-colortext-selection-caret-colortext-selectionmin-heightmin-widthmax-heightmax-widthbox-sizingclip-boxvertical-aligncontent-vertical-alignhorizontal-aligncontent-horizontal-alignbackground-attachmentbackground-colorbackground-imagebackground-positionbackground-position-topbackground-position-leftbackground-position-rightbackground-position-bottombackground-repeatbackground-offsetbackground-offset-topbackground-offset-leftbackground-offset-rightbackground-offset-bottombackground-sizebackground-widthbackground-heightbackground-clipbackground-image-framebackground-blend-modeborder-bottomborder-bottom-colorborder-bottom-styleborder-bottom-widthborder-collapseborder-colorborder-leftborder-left-colorborder-left-styleborder-left-widthborder-rightborder-right-colorborder-right-styleborder-right-widthborder-styleborder-topborder-top-colorborder-top-styleborder-top-widthborder-widthmarginmargin-bottommargin-leftmargin-rightmargin-toppaddingpadding-bottompadd
Source: rustdesk-1.1.9.exe	String found in binary or memory:  =""<!----></>></<table><!--StartFragment--></tr><tr><!--EndFragment--></table></html>BrokenHeartattempt to get property '%s' of nullptrnullptraddupdatedeleteadd-rangeupdate-rangedelete-rangebad allocationalert
Source: rustdesk-1.1.9.exe	String found in binary or memory: Pedit:cutedit:copyedit:pasteedit:paste-textedit:selectalledit:undoedit:redoedit:delete-nextedit:delete-prevedit:delete-word-nextedit:delete-word-prevedit:delete-line-starth
Source: rustdesk-1.1.9.exe	String found in binary or memory: top-lefttop-centertop-rightbottom-leftbottom-centerbottom-rightinheritmiddle-leftmiddle-centermiddle-rightat-startat-endat-headat-taildefault%.*f%sh
Source: rustdesk-1.1.9.exe	String found in binary or memory: file://text/tiscriptapplication/tiscriptapplication/jsontext/json+xmlonSubmitonResetsizemovingsidesizingreplacement-startreplacement-endresolutionchangeby-mouseactivatedactivateonRequestonRequestResponsebuttonstrayicon-clickpost-dataput-datapost-jsonput-jsondelete-jsonapplication/json;charset=utf-8SOCKET IOV=VV=S#\|V=\|V=time is over to complete the requestelement is not in the DOMwindow is not visiblew+bV*V=no url providedsuccesserrorcompleteprogressprotocolparamsheaderstoFileoutputusernamenoCachetrySyncFILE IObytesstreamproxyHostproxyPortpostputdeletemultipartH\
Source: rustdesk-1.1.9.exe	String found in binary or memory: navigate:backwardnavigate:word-startnavigate:forwardnavigate:word-endnavigate:upnavigate:downnavigate:line-startnavigate:line-endnavigate:startnavigate:end
Source: rustdesk-1.1.9.exe	String found in binary or memory: ERRORTAG-STARTTAG-ENDTAG-HEAD-ENDTAG-EMPTY-ENDTAG-ATTRTEXTCOMMENTCDATAPIDOCTYPEENTITIY@j
Source: rustdesk-1.1.9.exe	String found in binary or memory: <html><body><!--StartFragment--><img src='
Source: rustdesk-1.1.9.exe	String found in binary or memory: split failurewrap failureTransactionremoveAttributesetAttributesetTagsetTextinsertHTMLdeleteSelectiondeleteRangedeleteNodecollapseSelectionpn && pn->is_element()pos.valid()pos.node->is_text()bm.valid()bm.node->is_text()n->parentpt->is_text()pn->parent!nbsp_injectionat.node->is_element()delete rangedelete characterinsert plaintext(root_s == root_e) && root_ebase->belongs_to(root_s, true)apply <%S> spanremove <%S> spanstb_start && tb_endstart.valid() && end.valid()first.valid() && end.valid()pull <%S> elementbm.node->is_element()insert rownew_listnew_list_iteminsert elementsplit paragraphapply listremove listmorph blockwrap blockapply blockreset blockunindentindentapply pretexts[n]->parentpapa->belongs_to(pre_root,true)remove prefirst && lastfirst->is_connected() && last->is_connected()<html><body><!--StartFragment--><img src='' /><!--EndFragment--></body></html>pel->parent && pel->parent != untilStartFragmentEndFragmentinsert htmlgeneratorpbcbm.valid() && bm.node->is_element()headstyle,link,meta,title,basemerge html

Source: rustdesk-1.1.9.exe	Binary string: \Device\Afd\Mio
Source: rustdesk-1.1.9.exe	Binary string: Failed to open \Device\Afd\Mio:

Source: classification engine

Classification label: clean2.winEXE@1/14@8/4

Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: rustdesk-1.1.9.exe

Static file information: File size 15250920 > 1048576

Source: rustdesk-1.1.9.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: rustdesk-1.1.9.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: rustdesk-1.1.9.exe

Static PE information: certificate valid

Source: rustdesk-1.1.9.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xaab200
Source: rustdesk-1.1.9.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x31ae00

Source: rustdesk-1.1.9.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: rustdesk-1.1.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rustdesk-1.1.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rustdesk-1.1.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rustdesk-1.1.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rustdesk-1.1.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rustdesk-1.1.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rustdesk-1.1.9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: rustdesk-1.1.9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\zhouh\Desktop\hbb\target\release\deps\rustdesk.pdb source: rustdesk-1.1.9.exe

Source: rustdesk-1.1.9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rustdesk-1.1.9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rustdesk-1.1.9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rustdesk-1.1.9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rustdesk-1.1.9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: rustdesk-1.1.9.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Window / User API: threadDelayed 972	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Window / User API: threadDelayed 1012	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Window / User API: threadDelayed 948	Jump to behavior

Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe TID: 6672	Thread sleep time: -32076s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe TID: 6676	Thread sleep time: -33396s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe TID: 6660	Thread sleep time: -31284s >= -30000s	Jump to behavior

Source: rustdesk-1.1.9.exe, 00000000.00000002.524638667.0000016B63C4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rustdesk-1.1.9.exe, 00000000.00000002.524638667.0000016B63C4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW q
Source: rustdesk-1.1.9.exe, 00000000.00000002.524638667.0000016B63C4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW]

Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Users\user\AppData\Roaming\RustDesk\config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe	Queries volume information: C:\Program Files VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rustdesk-1.1.9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	1 Masquerading	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rustdesk-1.1.9.exe	0%	Virustotal		Browse

Source	Detection	Scanner	Link
rs-ny.rustdesk.com	0%	Virustotal	Browse
rs-cn.rustdesk.com	0%	Virustotal	Browse
rs-sg.rustdesk.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://%s:%d;https=https://%s:%dHTTP/1.0Content-Encodingdeflate(V	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
https://admin.rustdesk.comrustdesk.com/api/audit	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
https://rustdesk.com	0%	Avira URL Cloud	safe
https://sciter.com/forums/topic/replacecustomize-context-menu/	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
https://rustdesk.com/docs/en/manual/linux/#x11-requiredNot	0%	Avira URL Cloud	safe
https://rustdesk.com/docs/ru/manual/mac/#	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
https://admin.rustdesk.comrustdesk.com/api/auditP	0%	Avira URL Cloud	safe
https://sciter.com/event-handling/	0%	Avira URL Cloud	safe
https://rustdesk.com/blog/id-relay-set/	0%	Avira URL Cloud	safe
https://rustdesk.com/docs/en/manual/mac/#enable-permissionsN	0%	Avira URL Cloud	safe
http://rustdesk.com/privacy	0%	Avira URL Cloud	safe
http://%s:%d;https=https://%s:%dHTTP/1.0Content-Encodingdeflate(VHn	0%	Avira URL Cloud	safe
https://rustdesk.com/docs/zh-cn/manual/mac/#	0%	Avira URL Cloud	safe
https://sciter.com/docs/content/sciter/Event.htm	0%	Avira URL Cloud	safe
https://rustdesk.com/docs/zh-tw/manual/mac/#	0%	Avira URL Cloud	safe
https://rustdesk.com/privacy	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rs-ny.rustdesk.com	216.128.140.17	true	false	0%, Virustotal, Browse	unknown
rs-cn.rustdesk.com	124.70.161.173	true	false	0%, Virustotal, Browse	unknown
rs-sg.rustdesk.com	18.142.155.14	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://%s:%d;https=https://%s:%dHTTP/1.0Content-Encodingdeflate(V	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	low
https://sectigo.com/CPS0	rustdesk-1.1.9.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	rustdesk-1.1.9.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	rustdesk-1.1.9.exe	false	URL Reputation: safe	unknown
https://stackoverflow.com/questions/5833399/calculating-scroll-inertia-momentum	rustdesk-1.1.9.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	rustdesk-1.1.9.exe	false	URL Reputation: safe	unknown
https://admin.rustdesk.comrustdesk.com/api/audit	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://docs.rs/flexi_logger/latest/flexi_logger/error_info/index.html#(	rustdesk-1.1.9.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	rustdesk-1.1.9.exe	false	URL Reputation: safe	unknown
https://rustdesk.com	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://sciter.com/forums/topic/replacecustomize-context-menu/	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://developers.google.com/protocol-buffers/	rustdesk-1.1.9.exe	false		high
http://fontfabrik.com	rustdesk-1.1.9.exe, 00000000.00000002.531206451.0000016B69A52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://rustdesk.com/docs/en/manual/linux/#x11-requiredNot	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://rustdesk.com/docs/ru/manual/mac/#	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	rustdesk-1.1.9.exe	false	URL Reputation: safe	unknown
https://admin.rustdesk.comrustdesk.com/api/auditP	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://sciter.com/event-handling/	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://rustdesk.com/blog/id-relay-set/	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://rustdesk.com/docs/en/manual/mac/#enable-permissionsN	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
http://rustdesk.com/privacy	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
http://%s:%d;https=https://%s:%dHTTP/1.0Content-Encodingdeflate(VHn	rustdesk-1.1.9.exe, 00000000.00000002.537157017.00007FF66E1FD000.00000002.00000001.01000000.00000003.sdmp, rustdesk-1.1.9.exe, 00000000.00000000.254647361.00007FF66E1FD000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	low
https://developers.google.com/protocol-buffers/docs/proto#options	rustdesk-1.1.9.exe	false		high
https://rustdesk.com/docs/zh-cn/manual/mac/#	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://sciter.com/docs/content/sciter/Event.htm	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://rustdesk.com/docs/zh-tw/manual/mac/#	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://github.com/c-smile/sciter-sdk/blob/master/doc/content/sciter/Event.htm	rustdesk-1.1.9.exe	false		high
https://github.com/rust-lang/rust/issues/39364	rustdesk-1.1.9.exe	false		high
https://rustdesk.com/privacy	rustdesk-1.1.9.exe	false	Avira URL Cloud: safe	unknown
https://docs.rs/flexi_logger/latest/flexi_logger/error_info/index.html#	rustdesk-1.1.9.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.128.140.17	rs-ny.rustdesk.com	United States	20473	AS-CHOOPAUS	false
124.70.161.173	rs-cn.rustdesk.com	China	55990	HWCSNETHuaweiCloudServicedatacenterCN	false
18.142.155.14	rs-sg.rustdesk.com	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	668048
Start date and time: 18/07/202209:39:29	2022-07-18 09:39:29 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	rustdesk-1.1.9.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.winEXE@1/14@8/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	2qzJgdlbf3	Get hash	malicious	Browse	45.77.227.102
	ZG9zspc	Get hash	malicious	Browse	78.141.232.151
	GN7Em00EeL.exe	Get hash	malicious	Browse	149.28.253.196
	0uNLydcRzJ.exe	Get hash	malicious	Browse	149.28.253.196
	QaxD1rFyK0	Get hash	malicious	Browse	45.63.53.204
	xd.arm	Get hash	malicious	Browse	155.138.237.150
	allegato-5.xls	Get hash	malicious	Browse	66.42.57.149
	mirai.m68k	Get hash	malicious	Browse	44.168.175.45
	5fH6UHOtIP.exe	Get hash	malicious	Browse	149.28.253.196
	JYLGnHEJMD.exe	Get hash	malicious	Browse	155.138.222.252
	Npmkymn57V.exe	Get hash	malicious	Browse	149.28.253.196
	4SetC05w7w.dll	Get hash	malicious	Browse	103.43.75.120
	lTaopQSh77.dll	Get hash	malicious	Browse	103.43.75.120
	tcJpDrGi4S.dll	Get hash	malicious	Browse	103.43.75.120
	5ywyY235gq.dll	Get hash	malicious	Browse	103.43.75.120
	psegJrZqzl.dll	Get hash	malicious	Browse	103.43.75.120
	0GFisgjwbN.dll	Get hash	malicious	Browse	103.43.75.120
	b4zpY14x02.dll	Get hash	malicious	Browse	66.42.57.149
	L69zUouuZJ.dll	Get hash	malicious	Browse	103.43.75.120
	DB9nlmI2M6.dll	Get hash	malicious	Browse	103.43.75.120
HWCSNETHuaweiCloudServicedatacenterCN	WzTicgZiYE	Get hash	malicious	Browse	124.70.66.78
	jew.mpsl	Get hash	malicious	Browse	139.9.40.40
	mW6l0hEXP3	Get hash	malicious	Browse	121.37.235.8
	pnS6DsNQ71	Get hash	malicious	Browse	117.78.79.83
	bot.mpsl	Get hash	malicious	Browse	121.37.188.75
	wYLmBwwbjc	Get hash	malicious	Browse	121.37.166.106
	xd.arm	Get hash	malicious	Browse	124.71.182.240
	elmAKUWDRm	Get hash	malicious	Browse	121.39.89.111
	68XjEvICNE	Get hash	malicious	Browse	124.70.97.159
	miori.arm7-20220630-2250	Get hash	malicious	Browse	117.79.127.193
	x86_64-20220630-1413	Get hash	malicious	Browse	117.79.127.197
	Oe8wH5F8V7	Get hash	malicious	Browse	121.37.235.6
	au2wimCWWx	Get hash	malicious	Browse	139.9.52.45
	D4fVT6ioPU	Get hash	malicious	Browse	117.79.60.126
	r4z0r.arm	Get hash	malicious	Browse	139.9.15.94
	wjwVKMyRxp.exe	Get hash	malicious	Browse	119.3.37.230
	5CoRYB8PAx.exe	Get hash	malicious	Browse	124.70.40.185
	zz.mips.vir	Get hash	malicious	Browse	119.3.178.161
	8A6cgjrDd2	Get hash	malicious	Browse	117.79.59.221
	NtpService.dll	Get hash	malicious	Browse	124.70.135.94

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	919
Entropy (8bit):	3.1719754640855915
Encrypted:	false
SSDEEP:	24:7hC59uC0FzBy6RzUOu2EXWQM1QWd4ERauJitlgBuw0FGiVId4ERauJitlgBuw0FO:7hC5UC8zBy6RwTmZ1QWeERauJitlg/8c
MD5:	0F43612CA3F5AF786C7DF1B60A35F25F
SHA1:	BDE2EBA719D08276E9CEAB0F880604030F6AED21
SHA-256:	66C9F0619260101A4515F42AC20EC8EB4D4A16501C319CCC1657F2BA80FA08B0
SHA-512:	479AA8DCF97B74460090B4BCF466E423DB2223EC6541A3CEA1B4B94C1C78AB616982F28B4AE7A3A0CFBAA9B0CCF77F79F65841DE8C36BE028490E33752272A4A
Malicious:	false
Reputation:	low
Preview:	id = ''.password = ''.salt = ''.key_pair = [. [. 74,. 184,. 3,. 247,. 200,. 112,. 109,. 63,. 180,. 152,. 249,. 192,. 157,. 100,. 12,. 238,. 45,. 243,. 62,. 30,. 193,. 28,. 91,. 222,. 254,. 136,. 99,. 58,. 86,. 186,. 44,. 106,. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],. [. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],.].key_confirmed = false..[keys_confirmed].

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(11)_1658168197035800500

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	928
Entropy (8bit):	3.1942805621316426
Encrypted:	false
SSDEEP:	24:mhC59uC0FzBy6RzUOu2EXWQM1QWd4ERauJitlgBuw0FGiVId4ERauJitlgBuw0FO:mhC5UC8zBy6RwTmZ1QWeERauJitlg/8c
MD5:	0095E5941ED85E1EB719DB6EDD87816A
SHA1:	5997AC8FF43BA77C8E287330B6EA365F5253789F
SHA-256:	44ED41B50E6C4FA9C22AEEBDA1A913C7E96574B85AC80A3D5B94E5E50E7A5993
SHA-512:	9D431F243B86CE46A21C18B50282C206D174EA5301FC4BE7D0CE0CEC23D427B41DDD66A37EB214200286EC52E6F5705454EC16CC9F913CF6E1EC90768FC73BA9
Malicious:	false
Reputation:	low
Preview:	id = '461778413'.password = ''.salt = ''.key_pair = [. [. 74,. 184,. 3,. 247,. 200,. 112,. 109,. 63,. 180,. 152,. 249,. 192,. 157,. 100,. 12,. 238,. 45,. 243,. 62,. 30,. 193,. 28,. 91,. 222,. 254,. 136,. 99,. 58,. 86,. 186,. 44,. 106,. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],. [. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],.].key_confirmed = false..[keys_confirmed].

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(11)_1658168198729737500

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	953
Entropy (8bit):	3.2871010837963226
Encrypted:	false
SSDEEP:	24:mhC59uC0FzBy6RzUOu2EXWQM1QWd4ERauJitlgBuw0FGiVId4ERauJitlgBuw0FG:mhC5UC8zBy6RwTmZ1QWeERauJitlg/84
MD5:	5C7CA026492950AE14E04C3220F3B70C
SHA1:	D8C166B24042BBB2074DB6A0BE022E68ADED6549
SHA-256:	7407897E589E1F738FA93E8B5A74901361B2D1812E81858710A09B7585B45A02
SHA-512:	CD148694F6909FA2CDFBF3A32398738EA0A958935EB1FF1F6DEA6435E2C1335B773E2B8D84BD85C307AD6FCE14819D0CF49BEDF656B2FE277AD9957D5015E154
Malicious:	false
Reputation:	low
Preview:	id = '461778413'.password = ''.salt = ''.key_pair = [. [. 74,. 184,. 3,. 247,. 200,. 112,. 109,. 63,. 180,. 152,. 249,. 192,. 157,. 100,. 12,. 238,. 45,. 243,. 62,. 30,. 193,. 28,. 91,. 222,. 254,. 136,. 99,. 58,. 86,. 186,. 44,. 106,. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],. [. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],.].key_confirmed = true..[keys_confirmed].rs-ny = true.rs-sg = true.

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(12)_1658168198017147900

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	927
Entropy (8bit):	3.192009129682465
Encrypted:	false
SSDEEP:	24:mhC59uC0FzBy6RzUOu2EXWQM1QWd4ERauJitlgBuw0FGiVId4ERauJitlgBuw0F7:mhC5UC8zBy6RwTmZ1QWeERauJitlg/8B
MD5:	0732AB6CC5A61D964FE7945AD653B36C
SHA1:	B357BDA0CAC9EF25458555AE037D65F405BB504E
SHA-256:	F162823631702757B1D4CAE93200BEEBCB7F897C2A0F6AC9CB316B26BA161602
SHA-512:	C85C0DE76A1CAE59304CD6A0A95D3AB45E6DF733E347F9B640611678A6E977C325732608C33D7448C4E516CCEF82DE9F9C8B315742E58728F5C9CE3FCF3B1A19
Malicious:	false
Reputation:	low
Preview:	id = '461778413'.password = ''.salt = ''.key_pair = [. [. 74,. 184,. 3,. 247,. 200,. 112,. 109,. 63,. 180,. 152,. 249,. 192,. 157,. 100,. 12,. 238,. 45,. 243,. 62,. 30,. 193,. 28,. 91,. 222,. 254,. 136,. 99,. 58,. 86,. 186,. 44,. 106,. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],. [. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],.].key_confirmed = true..[keys_confirmed].

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(12)_1658168198238520800

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	940
Entropy (8bit):	3.241664693265447
Encrypted:	false
SSDEEP:	24:mhC59uC0FzBy6RzUOu2EXWQM1QWd4ERauJitlgBuw0FGiVId4ERauJitlgBuw0Fr:mhC5UC8zBy6RwTmZ1QWeERauJitlg/8R
MD5:	4AF30F4EC6F8679C458A5B35438D0EDF
SHA1:	88905E24925F36D16C5A3127D40BF2B5993DDEAD
SHA-256:	3DA2E6F065C6F529B2D07CBA9FB6ABDDECDB7616F2741185CC0C49965053735D
SHA-512:	71115983CACB4FCD6112B9148A7F270B82DEDF84B1B39C931B0B0B06C678EE5ACFC3F007D25A2D2C629592CE38BABFD3F1F853C5C34AA2A50D49110789C59394
Malicious:	false
Reputation:	low
Preview:	id = '461778413'.password = ''.salt = ''.key_pair = [. [. 74,. 184,. 3,. 247,. 200,. 112,. 109,. 63,. 180,. 152,. 249,. 192,. 157,. 100,. 12,. 238,. 45,. 243,. 62,. 30,. 193,. 28,. 91,. 222,. 254,. 136,. 99,. 58,. 86,. 186,. 44,. 106,. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],. [. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],.].key_confirmed = true..[keys_confirmed].rs-ny = true.

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(14)_1658168195748594800

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.295323833560111
Encrypted:	false
SSDEEP:	3:A10WJBiFBdRFUnXiFQ/fJ24uVC5Y2GtKGEvn:A6WJOJU72dPCv
MD5:	6AA983BC7FE8B7CF3B69418B182A542A
SHA1:	9D9D6471ED43172CE62A919E960898973F570D80
SHA-256:	935190DDD9A2A8CD27D77CA613E174585DE0EF07FA6DA3EA115EECB593AD5B89
SHA-512:	0C9C18ABE1723C6511028932688B262D6F42D7DF938CD2D51A4B846AD5A2B7DD678098B9B81BD06B8948E9CDED62D34D2A8F873B87C0E00592A4FDFCE39B0118
Malicious:	false
Reputation:	low
Preview:	id = ''.password = ''.salt = ''.key_pair = [. [],. [],.].key_confirmed = false..[keys_confirmed].

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(14)_1658168200751260800

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	959
Entropy (8bit):	3.3132467950287907
Encrypted:	false
SSDEEP:	24:DhC59uC0FzBy6RzUOu2EXWQM1QWd4ERauJitlgBuw0FGiVId4ERauJitlgBuw0FG:DhC5UC8zBy6RwTmZ1QWeERauJitlg/84
MD5:	E79EDBA40A4ACCC3432EB9F1750F27E5
SHA1:	F18FD863FE87E0049D6B1957E6BF78F90F253E8C
SHA-256:	90A05764CDB28B2DAB1DEDDE2A229C58F3D4CDCCAAAF137E6724A0DB50EC34BD
SHA-512:	49683217CE6C21533AB6ADF76B419DF375D05A912E7961F483729F838F1A15461EF93284C1D22AC239C15EAF90F7DC5BA762DA3DDB4321C2DBD4CC12EDEF1D2F
Malicious:	false
Reputation:	low
Preview:	id = '461778413'.password = ''.salt = 'hkr4i3'.key_pair = [. [. 74,. 184,. 3,. 247,. 200,. 112,. 109,. 63,. 180,. 152,. 249,. 192,. 157,. 100,. 12,. 238,. 45,. 243,. 62,. 30,. 193,. 28,. 91,. 222,. 254,. 136,. 99,. 58,. 86,. 186,. 44,. 106,. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],. [. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],.].key_confirmed = true..[keys_confirmed].rs-ny = true.rs-sg = true.

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.toml (copy)

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	959
Entropy (8bit):	3.3132467950287907
Encrypted:	false
SSDEEP:	24:DhC59uC0FzBy6RzUOu2EXWQM1QWd4ERauJitlgBuw0FGiVId4ERauJitlgBuw0FG:DhC5UC8zBy6RwTmZ1QWeERauJitlg/84
MD5:	E79EDBA40A4ACCC3432EB9F1750F27E5
SHA1:	F18FD863FE87E0049D6B1957E6BF78F90F253E8C
SHA-256:	90A05764CDB28B2DAB1DEDDE2A229C58F3D4CDCCAAAF137E6724A0DB50EC34BD
SHA-512:	49683217CE6C21533AB6ADF76B419DF375D05A912E7961F483729F838F1A15461EF93284C1D22AC239C15EAF90F7DC5BA762DA3DDB4321C2DBD4CC12EDEF1D2F
Malicious:	false
Reputation:	low
Preview:	id = '461778413'.password = ''.salt = 'hkr4i3'.key_pair = [. [. 74,. 184,. 3,. 247,. 200,. 112,. 109,. 63,. 180,. 152,. 249,. 192,. 157,. 100,. 12,. 238,. 45,. 243,. 62,. 30,. 193,. 28,. 91,. 222,. 254,. 136,. 99,. 58,. 86,. 186,. 44,. 106,. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],. [. 226,. 139,. 200,. 224,. 54,. 12,. 220,. 49,. 47,. 26,. 83,. 51,. 125,. 36,. 41,. 168,. 44,. 127,. 116,. 164,. 189,. 91,. 89,. 0,. 229,. 152,. 144,. 125,. 6,. 60,. 66,. 212,.],.].key_confirmed = true..[keys_confirmed].rs-ny = true.rs-sg = true.

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk2.6508_ThreadId(12)_1658168197681624500

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	4.52836110694279
Encrypted:	false
SSDEEP:	3:eGHXTAXuQb/1tWoFYWC:N3M+CWP
MD5:	006A29B1ADC8B59135DF5652C54932D7
SHA1:	5CB1513FB96E5C3BD36348F77FDA7E937EFFED15
SHA-256:	9FF2A92728EC23C4B16298FD8E2B7B973D7D52AAB60FCD385E6DCA6713329621
SHA-512:	5C3F8C38C85AFE9CDC86B558F58A16603C6391A596F7FD231C916F1F501943236762EA42096743DA9B21BCA733C3A8C23794B2BE63A34871C0176BB91BDD1204
Malicious:	false
Reputation:	low
Preview:	rendezvous_server = 'rs-ny.rustdesk.com'.nat_type = 1.serial = 0..[options].

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk2.6508_ThreadId(23)_1658168197062885000

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	58
Entropy (8bit):	4.312313055614734
Encrypted:	false
SSDEEP:	3:eGHXTAXIs6tWoFYWC:N3M4fWP
MD5:	96FE74504F52619FAF3F15D9FE43FFD7
SHA1:	93C80D6690FBFAC76AA68BE183A06862A0DD671A
SHA-256:	2E585AA05A3B6FD8C8803CBE1F00FEBB437CD016884DA2C0F1207CD6B67AC36D
SHA-512:	3874DE6647C522446B1E2958BA57ADF6C49AEE4B0848F8511CD53F16494E8B33468AEEA18706346E1999C1BDD2BF499AB3990A30E9E0D1031A42A8A65229B1B1
Malicious:	false
Reputation:	low
Preview:	rendezvous_server = ''.nat_type = 1.serial = 0..[options].

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk2.6508_ThreadId(9)_1658168195468795400

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	58
Entropy (8bit):	4.277830296994044
Encrypted:	false
SSDEEP:	3:eGHXTAXIs6ejFYWC:N3M4r
MD5:	7E65E186C1FD1E4B9634F8D54CDE92D3
SHA1:	BE1440FC7AFE1FFC61CFDECB15A28B5F78D054B8
SHA-256:	828AC47651ACDAA5632E40D79FC4DB0F7B87E487976DC68E7680BE93424EC1AE
SHA-512:	271B48B0A4C4B13C9E766ACEAB778375452F30582141D1517A12E3B7BBD4022A964C18C2FB437DC16FE432F31C8216420DFA74BE139070BFF6B41E227A5A6E56
Malicious:	false
Reputation:	low
Preview:	rendezvous_server = ''.nat_type = 0.serial = 0..[options].

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk2.toml (copy)

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	4.52836110694279
Encrypted:	false
SSDEEP:	3:eGHXTAXuQb/1tWoFYWC:N3M+CWP
MD5:	006A29B1ADC8B59135DF5652C54932D7
SHA1:	5CB1513FB96E5C3BD36348F77FDA7E937EFFED15
SHA-256:	9FF2A92728EC23C4B16298FD8E2B7B973D7D52AAB60FCD385E6DCA6713329621
SHA-512:	5C3F8C38C85AFE9CDC86B558F58A16603C6391A596F7FD231C916F1F501943236762EA42096743DA9B21BCA733C3A8C23794B2BE63A34871C0176BB91BDD1204
Malicious:	false
Reputation:	low
Preview:	rendezvous_server = 'rs-ny.rustdesk.com'.nat_type = 1.serial = 0..[options].

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk_local.6508_ThreadId(1)_1658168196121425800

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.7519384795225292
Encrypted:	false
SSDEEP:	3:skBFmAh/bFFFvhFFFvhFFFvhgUM+K7v:tBF3he7v
MD5:	FE15184A9910E06F5A5BD76A0C982DE7
SHA1:	FF35C1711ACE7EB572BA83F6B33212396ABDBDF8
SHA-256:	E930F4AFAAA9573D22938FDC00B8FDF73ADBD1B82A20E1E0078E5FC2614168F7
SHA-512:	6A31FE76E44D182EAB1CD9E85BC989D56B0A251631A8EEC4FAF42B8241155585A1CFD268A51A5A7DB7202DA85A8A9F10790A647A7BFF5002A0933F54381F4663
Malicious:	false
Reputation:	low
Preview:	remote_id = ''.size = [. 0,. 0,. 0,. 0,.].fav = []..[options].

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk_local.toml (copy)

Download File

Process:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.7519384795225292
Encrypted:	false
SSDEEP:	3:skBFmAh/bFFFvhFFFvhFFFvhgUM+K7v:tBF3he7v
MD5:	FE15184A9910E06F5A5BD76A0C982DE7
SHA1:	FF35C1711ACE7EB572BA83F6B33212396ABDBDF8
SHA-256:	E930F4AFAAA9573D22938FDC00B8FDF73ADBD1B82A20E1E0078E5FC2614168F7
SHA-512:	6A31FE76E44D182EAB1CD9E85BC989D56B0A251631A8EEC4FAF42B8241155585A1CFD268A51A5A7DB7202DA85A8A9F10790A647A7BFF5002A0933F54381F4663
Malicious:	false
Preview:	remote_id = ''.size = [. 0,. 0,. 0,. 0,.].fav = []..[options].

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.47204929106615
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rustdesk-1.1.9.exe
File size:	15250920
MD5:	6784be19a5f870544c8e564c768eff23
SHA1:	177c876064ed39e9c06c187176f9f783833f1e1d
SHA256:	b654cb0e45016773edacb532cddfaa3faf677adbbb3bd7b61e31ed0ec23e0c91
SHA512:	ce22023e55ad368ea8b3f7d07a2b8b95d79f6ebcecc69bebf2022d840624b080d69fe3d3d584fbe55c9e24b5fd882085ebc0c5e1e780d8bb3641a9ce82d1db82
SSDEEP:	196608:q3e439qcLO4DOyvek4JELDzDSlYm4QV3j8rqNU:QdKErLDzDSCm4QV3j8rqNU
TLSH:	68E68C17F2A141E9C1AAC0B4866AA613FAB17C890734B7DF16E056212F677F06F3E351
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......+...o..Io..Io..I{..HO..I{..HQ..I..RIg..I=..H...I=..H\|..I=..Hc..I{..Hn..I{..H...I{..HR..Io..Ic..I...HE..I...H/..I...H...Io..Iu..

File Icon


Icon Hash:	9269ccc6c6cc6996

Static PE Info

General

Entrypoint:	0x140a389a8
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62CDB6B0 [Tue Jul 12 18:00:16 2022 UTC]
TLS Callbacks:	0x40466260, 0x1, 0x40a39280, 0x1, 0x40a392f8, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	31d49736e8e51fb45e62a0baa554a5da

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	8/25/2021 5:00:00 PM 8/26/2022 4:59:59 PM
Subject Chain	CN=Zhou Huabing, O=Zhou Huabing, S=Central Singapore, C=SG
Version:	3
Thumbprint MD5:	79069E7BDC8748CC5BC28794EAEF947D
Thumbprint SHA-1:	62347301C52447E1F2D2FE670C6E0D771BCA7A67
Thumbprint SHA-256:	2EDD3F77AC249FCB3E9A3E1572AFA7BE4C352E68E1FED1637C1EC1FACD1520B8
Serial:	0F9B04409B719857D849BB69D473BE9D

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FBBE46C849Ch
dec eax
add esp, 28h
jmp 00007FBBE46C76E7h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007FBBE46C7888h
inc cx
and edx, 8D4DF000h
wait
add al, dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdc2c38	0x258	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe6a000	0x8f78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe1f000	0x499b0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe88a00	0x2be8	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe73000	0x26660	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd14e24	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd15000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xd14e80	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xaad000	0x1758	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xaab06c	0xaab200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xaad000	0x31ac34	0x31ae00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xdc8000	0x560ac	0x49200	False	0.20185630341880342	data	4.291665098138149	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xe1f000	0x499b0	0x49a00	False	0.5058494269949066	data	6.485480490820679	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0xe69000	0xf4	0x200	False	0.30859375	data	2.4276487753991924	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xe6a000	0x8f78	0x9000	False	0.325927734375	data	4.604227991405256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe73000	0x26660	0x26800	False	0.12085912134740259	data	5.4561381336854655	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xe6a400	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xe6a968	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xe6b210	0xea8	data	English	United States
RT_ICON	0xe6c0b8	0x4c28	dBase IV DBT, blocks size 0, block length 16384, next free block index 40, next free block 353703189, next used block 353703189	English	United States
RT_ICON	0xe70ce0	0x1be2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_GROUP_ICON	0xe728c8	0x4c	data	English	United States
RT_VERSION	0xe6a1f0	0x20c	data	English	United States
RT_MANIFEST	0xe72918	0x65a	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	SleepEx, GetEnvironmentStringsW, FreeEnvironmentStringsW, CompareStringOrdinal, GetSystemDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, CreateProcessW, DuplicateHandle, CreateThread, GetCurrentThread, WriteFileEx, WaitForMultipleObjects, CreateEventW, CancelIo, ExitProcess, QueryPerformanceFrequency, RtlCaptureContext, FindFirstFileW, DeleteFileW, MoveFileExW, RemoveDirectoryW, CreateSymbolicLinkW, SetHandleInformation, GetComputerNameExW, VerSetConditionMask, ProcessIdToSessionId, OpenProcess, VerifyVersionInfoW, WTSGetActiveConsoleSessionId, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, LoadLibraryExW, WideCharToMultiByte, GetSystemTime, GetLocalTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, ResetEvent, CreateSemaphoreW, ResumeThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetComputerNameW, CompareStringW, GetNumberFormatW, GetCurrencyFormatW, GetSystemDefaultLCID, GetUserDefaultLCID, OutputDebugStringW, MulDiv, GetTempPathA, GetTempFileNameA, AllocConsole, GetModuleFileNameA, LoadLibraryExA, DebugBreak, FormatMessageA, SetErrorMode, GetQueuedCompletionStatus, GetFileType, RegisterWaitForSingleObject, UnregisterWait, SetNamedPipeHandleState, PeekNamedPipe, GetNamedPipeHandleStateW, QueueUserWorkItem, GetFileSize, SetEndOfFile, SetFilePointer, CreateFileMappingW, MapViewOfFile, FlushViewOfFile, UnmapViewOfFile, GetCPInfo, FreeLibrary, LocalSize, CreateFileA, GetNumberOfConsoleInputEvents, ReadConsoleInputW, CreateDirectoryW, GetConsoleScreenBufferInfo, SetConsoleCursorPosition, WriteConsoleInputW, UnregisterWaitEx, LCMapStringW, CopyFileW, CreateHardLinkW, GetLongPathNameW, GetShortPathNameW, ReadDirectoryChangesW, DecodePointer, RaiseException, InitializeCriticalSectionEx, GetLogicalDriveStringsW, GetVolumeInformationW, GetStartupInfoW, LoadLibraryW, lstrcmpW, SetThreadPriority, GetThreadPriority, GetTickCount, GetVersionExW, GetFileTime, WakeConditionVariable, SleepConditionVariableCS, InitializeConditionVariable, WakeAllConditionVariable, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, GetFileSizeEx, EnumSystemLocalesW, IsValidLocale, GetCommandLineA, GetConsoleOutputCP, SetFileAttributesW, GetFileAttributesExW, SetStdHandle, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, InitializeCriticalSectionAndSpinCount, RtlUnwind, RtlUnwindEx, GetStringTypeW, LCMapStringEx, EncodePointer, SleepConditionVariableSRW, InitializeSRWLock, GetNativeSystemInfo, GetExitCodeThread, RtlPcToFileHeader, IsDebuggerPresent, InitializeSListHead, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, ReadFileEx, GetFullPathNameW, FindNextFileW, DeviceIoControl, GetFileInformationByHandle, GetCommandLineW, GetModuleFileNameW, GetTempPathW, SetEnvironmentVariableW, GetEnvironmentVariableW, RtlLookupFunctionEntry, ReleaseMutex, GetCurrentProcess, CreateMutexA, LoadLibraryA, WaitForSingleObjectEx, GetCurrentDirectoryW, WriteConsoleW, GetProcAddress, GetModuleHandleA, CreateNamedPipeW, SetFileCompletionNotificationModes, CreateIoCompletionPort, CancelIoEx, WriteFile, PostQueuedCompletionStatus, GetOverlappedResult, ReadFile, TryAcquireSRWLockExclusive, GetFinalPathNameByHandleW, SetLastError, GetQueuedCompletionStatusEx, SetConsoleCtrlHandler, CreateSemaphoreA, TerminateProcess, GetUserDefaultLocaleName, GetModuleHandleW, GetCurrentThreadId, GlobalFree, GlobalAlloc, MultiByteToWideChar, WaitForSingleObject, GlobalSize, GlobalUnlock, GlobalLock, GetSystemInfo, GetLogicalProcessorInformation, FlushFileBuffers, LocalAlloc, ConnectNamedPipe, GetExitCodeProcess, LocalFree, SetFileTime, GetLogicalDrives, ReleaseSRWLockShared, AcquireSRWLockShared, GetTimeZoneInformation, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, FormatMessageW, lstrlenW, ReleaseSemaphore, QueryPerformanceCounter, WaitForMultipleObjectsEx, SetEvent, CreateEventA, SetFilePointerEx, GetFileInformationByHandleEx, GetStdHandle, HeapReAlloc, SetThreadStackGuarantee, AddVectoredExceptionHandler, Sleep, GetLastError, SetConsoleMode, GetConsoleMode, CreateFileW, GetSystemTimeAsFileTime, GetCurrentProcessId, CloseHandle, SwitchToThread, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, FindClose, HeapAlloc, GetProcessHeap, ReadConsoleW, HeapFree, HeapSize
SAS.dll	SendSAS
WTSAPI32.dll	WTSQuerySessionInformationW, WTSEnumerateSessionsA, WTSFreeMemory
Secur32.dll	AcquireCredentialsHandleA, DecryptMessage, QueryContextAttributesW, InitializeSecurityContextW, AcceptSecurityContext, ApplyControlToken, EncryptMessage, FreeCredentialsHandle, DeleteSecurityContext, FreeContextBuffer
ole32.dll	PropVariantClear, RegisterDragDrop, RevokeDragDrop, DoDragDrop, ReleaseStgMedium, CoInitializeEx, CoTaskMemAlloc, CoFreeUnusedLibraries, CoInitialize, OleSetClipboard, OleGetClipboard, OleIsCurrentClipboard, CoUninitialize, CoTaskMemFree, CoCreateInstance, OleInitialize, CoCreateGuid, CreateStreamOnHGlobal, OleUninitialize
USER32.dll	MapVirtualKeyW, SetWinEventHook, UpdateLayeredWindow, GetQueueStatus, MsgWaitForMultipleObjects, DispatchMessageA, DefWindowProcA, RegisterClassExA, CreateWindowExA, GetClipboardOwner, EnumClipboardFormats, ChangeClipboardChain, RegisterClipboardFormatA, GetClipboardFormatNameA, GetClientRect, EnableWindow, IsWindowUnicode, KillTimer, SetTimer, ReleaseCapture, CreateIconIndirect, UpdateWindow, CountClipboardFormats, RegisterClipboardFormatW, GetClipboardSequenceNumber, FindWindowW, SetCaretPos, DestroyCaret, CreateCaret, MessageBoxW, SetActiveWindow, SetClipboardViewer, LoadStringW, SendInput, GetForegroundWindow, GetWindowThreadProcessId, GetKeyboardLayout, MapVirtualKeyExW, VkKeyScanExW, SetCapture, GetCapture, GetFocus, GetActiveWindow, SetFocus, CallMsgFilterW, IsIconic, IsWindowVisible, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, GetWindowPlacement, MoveWindow, FlashWindowEx, DestroyWindow, IsChild, IsWindow, GetDesktopWindow, GetMessageTime, RegisterWindowMessageW, MessageBoxA, GetWindowTextW, GetMonitorInfoW, MonitorFromWindow, SystemParametersInfoW, DestroyCursor, LoadCursorFromFileA, LoadCursorW, GetSysColor, UnhookWindowsHookEx, GetAsyncKeyState, PostMessageA, SendMessageA, PeekMessageA, GetUserObjectInformationA, GetThreadDesktop, CloseDesktop, SetThreadDesktop, OpenInputDesktop, RegisterClassExW, GetKeyState, LockWorkStation, GetCursorPos, GetCursorInfo, MapVirtualKeyA, EnumDisplaySettingsExW, EnumDisplayDevicesW, CallNextHookEx, ToUnicodeEx, GetSystemMetrics, BlockInput, MsgWaitForMultipleObjectsEx, GetUpdateRect, PostThreadMessageW, PeekMessageW, ValidateRect, GetRawInputData, TrackPopupMenu, SetForegroundWindow, DefWindowProcW, PostMessageW, GetWindowLongPtrW, RegisterWindowMessageA, DestroyMenu, AppendMenuW, CreatePopupMenu, SendMessageW, InvalidateRgn, SetWindowPos, AdjustWindowRectEx, GetMenu, GetWindowLongW, RedrawWindow, RegisterClassW, CopyIcon, DestroyIcon, CreateIconFromResourceEx, LookupIconIdFromDirectoryEx, RegisterRawInputDevices, SetWindowLongPtrW, CreateWindowExW, DispatchMessageW, TranslateMessage, GetMessageW, ShowWindow, SetWindowTextW, GetMessageA, EndPaint, BeginPaint, IsWindowEnabled, AnimateWindow, MessageBeep, GetDoubleClickTime, NotifyWinEvent, MonitorFromPoint, GetScrollInfo, SetScrollInfo, LoadIconW, SetWindowsHookExW, GetWindow, EnumThreadWindows, GetParent, SetClassLongW, GetClassLongW, SetWindowLongW, IsRectEmpty, WindowFromPoint, MapWindowPoints, ScreenToClient, ClientToScreen, SetCursor, PostQuitMessage, GetIconInfo, GetDC, ReleaseDC, OpenClipboard, IsClipboardFormatAvailable, GetClipboardData, CloseClipboard, EmptyClipboard, SetClipboardData, SetWindowsHookExA, GetWindowRect, EnumDisplayMonitors, InvalidateRect, DrawIconEx
COMDLG32.dll	GetOpenFileNameW, PrintDlgW, GetSaveFileNameW, CommDlgExtendedError
WININET.dll	InternetOpenA, InternetConnectA, InternetErrorDlg, HttpQueryInfoW, HttpQueryInfoA, HttpSendRequestA, HttpOpenRequestA, InternetSetOptionW, InternetQueryOptionW, InternetReadFile, InternetCloseHandle
bcrypt.dll	BCryptGenRandom
ntdll.dll	NtDeviceIoControlFile, NtCancelIoFileEx, RtlNtStatusToDosError, NtCreateFile
ADVAPI32.dll	OpenServiceW, SystemFunction036, CryptGenRandom, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerExW, SetServiceStatus, InitializeSecurityDescriptor, SetEntriesInAclW, AllocateAndInitializeSid, FreeSid, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, GetUserNameW, OpenSCManagerW, CryptReleaseContext, CloseServiceHandle, CreateProcessAsUserW, OpenProcessToken, CryptAcquireContextW
COMCTL32.dll	ImageList_Destroy, ImageList_GetIconSize, ImageList_DrawEx
CRYPT32.dll	CertCloseStore, CertDuplicateCertificateContext, CertOpenStore, CertAddCertificateContextToStore, CertDuplicateStore, CertEnumCertificatesInStore, CertGetCertificateChain, CertDuplicateCertificateChain, CertFreeCertificateChain, CertVerifyCertificateChainPolicy, CertFreeCertificateContext
d3d11.dll	D3D11CreateDevice
dxgi.dll	CreateDXGIFactory1
GDI32.dll	DeleteDC, DeleteObject, BitBlt, GetDIBits, GetObjectA, GetBitmapBits, CreateCompatibleDC, CreateDCW, CreateCompatibleBitmap, GetDeviceCaps, AddFontMemResourceEx, GetObjectW, SetMapMode, StartDocW, EndDoc, StartPage, EndPage, CreateSolidBrush, GetStockObject, SetLayout, CreateDIBSection, CreateBitmap, GetGlyphIndicesW, CreateFontW, EnumFontFamiliesExW, GetFontUnicodeRanges, StretchDIBits, GetClipBox, RestoreDC, SaveDC, SetViewportOrgEx, SelectObject
IMM32.dll	ImmGetContext, ImmReleaseContext, ImmAssociateContextEx, ImmGetCompositionStringW, ImmNotifyIME, ImmSetCandidateWindow, ImmIsIME
IPHLPAPI.DLL	GetAdaptersAddresses
OLEAUT32.dll	SysAllocStringLen, SysFreeString, SafeArrayDestroy, SafeArrayPutElement, SafeArrayCreateVector
SHELL32.dll	ShellExecuteExW, SHAddToRecentDocs, CommandLineToArgvW, SHGetKnownFolderPath, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, DragQueryFileW, ShellExecuteW, SHGetSpecialFolderPathW, Shell_NotifyIconW
SHLWAPI.dll	PathIsRelativeW
UxTheme.dll	GetThemePartSize, OpenThemeData, SetWindowTheme, IsThemeBackgroundPartiallyTransparent, CloseThemeData, DrawThemeBackground
WINSPOOL.DRV
WS2_32.dll	WSARecvFrom, WSARecv, htons, WSASend, send, recv, WSACleanup, freeaddrinfo, select, WSASetLastError, WSASocketW, getaddrinfo, WSAIoctl, recvfrom, sendto, bind, listen, socket, ioctlsocket, setsockopt, closesocket, WSAStartup, getsockopt, shutdown, connect, getsockname, WSAGetLastError, getpeername, accept
USERENV.dll	DestroyEnvironmentBlock, CreateEnvironmentBlock
gdiplus.dll	GdipGetImageGraphicsContext, GdipGetImageWidth, GdipGetImageHeight, GdipCreateBitmapFromScan0, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipCreateImageAttributes, GdipDisposeImageAttributes, GdipSetImageAttributesColorMatrix, GdipCreateFromHDC, GdipCreateFromHWND, GdipDeleteGraphics, GdipSetCompositingQuality, GdipSetSmoothingMode, GdipGetSmoothingMode, GdipSetPixelOffsetMode, GdipSetTextRenderingHint, GdipSetInterpolationMode, GdipResetWorldTransform, GdipMultiplyWorldTransform, GdipTranslateWorldTransform, GdipGetWorldTransform, GdipSetPageUnit, GdipTransformPoints, GdipDrawLine, GdipCreatePen1, GdipDrawRectangle, GdipDrawEllipse, GdipDrawPie, GdipDrawPath, GdipGraphicsClear, GdipFillRectangle, GdipFillRectangleI, GdipFillRectanglesI, GdipFillEllipse, GdipFillPie, GdipFillPath, GdipDrawImageRectRect, GdipSetClipRect, GdipSetClipRectI, GdipGetClipBoundsI, GdipSaveGraphics, GdipRestoreGraphics, GdipCloneImage, GdipSetPenMiterLimit, GdiplusStartup, GdiplusShutdown, GdipDeleteFontFamily, GdipGetEmHeight, GdipGetCellAscent, GdipGetLineSpacing, GdipCreateFontFromDC, GdipCreateFontFromLogfontA, GdipDeleteFont, GdipGetFamily, GdipGetFontSize, GdipCreateBitmapFromGraphics, GdipCreateHBITMAPFromBitmap, GdipDrawImageI, GdipDrawDriverString, GdipSetPenLineJoin, GdipSetPathGradientTransform, GdipSetPathGradientWrapMode, GdipSetPathGradientPresetBlend, GdipSetPathGradientCenterPoint, GdipCreatePathGradientFromPath, GdipMultiplyLineTransform, GdipSetLineWrapMode, GdipSetLinePresetBlend, GdipCreateLineBrush, GdipCreateSolidFill, GdipCreateTexture, GdipDeleteBrush, GdipCloneBrush, GdipGetMatrixElements, GdipShearMatrix, GdipRotateMatrix, GdipScaleMatrix, GdipTranslateMatrix, GdipDeleteMatrix, GdipCreateMatrix2, GdipCreateMatrix, GdipIsVisiblePathPoint, GdipGetPathWorldBounds, GdipAddPathRectangleI, GdipAddPathArcI, GdipAddPathLineI, GdipAddPathEllipse, GdipDisposeImage, GdipSetPenDashOffset, GdipSetPenDashArray, GdipBeginContainer2, GdipAlloc, GdipFree, GdipSetPenEndCap, GdipSetPenStartCap, GdipDeletePen, GdipSetPenDashStyle, GdipEndContainer, GdipCreatePath, GdipClonePath, GdipDeletePath, GdipResetPath, GdipSetPathFillMode, GdipStartPathFigure, GdipClosePathFigure, GdipAddPathLine, GdipAddPathArc, GdipAddPathBezier, GdipCreatePen2, GdipDrawArc
WINMM.dll	timeEndPeriod, timeBeginPeriod, timeGetTime, timeKillEvent, timeSetEvent
OLEACC.dll	AccessibleObjectFromWindow, LresultFromObject
USP10.dll	ScriptApplyDigitSubstitution, ScriptFreeCache, ScriptItemize, ScriptShape, ScriptPlace, ScriptBreak

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 121
• 21116 undefined
• 21115 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 18, 2022 09:40:38.005563021 CEST	49745	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.146699905 CEST	21116	49745	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.146848917 CEST	49745	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.152219057 CEST	49745	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.293214083 CEST	21116	49745	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.293251991 CEST	21116	49745	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.293282032 CEST	21116	49745	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.293355942 CEST	49745	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.301245928 CEST	49745	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.315366030 CEST	49745	21115	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.442861080 CEST	21116	49745	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.454889059 CEST	21115	49745	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.455056906 CEST	49745	21115	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.470675945 CEST	49745	21115	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.610812902 CEST	21115	49745	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.610855103 CEST	21115	49745	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.610886097 CEST	21115	49745	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.610972881 CEST	49745	21115	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.611159086 CEST	49745	21115	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.751584053 CEST	21115	49745	216.128.140.17	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 18, 2022 09:40:37.353171110 CEST	57421	53	192.168.2.3	8.8.8.8
Jul 18, 2022 09:40:37.355880976 CEST	65358	53	192.168.2.3	8.8.8.8
Jul 18, 2022 09:40:37.357700109 CEST	49873	53	192.168.2.3	8.8.8.8
Jul 18, 2022 09:40:37.593882084 CEST	53	57421	8.8.8.8	192.168.2.3
Jul 18, 2022 09:40:37.655813932 CEST	53802	53	192.168.2.3	8.8.8.8
Jul 18, 2022 09:40:37.678107023 CEST	53	49873	8.8.8.8	192.168.2.3
Jul 18, 2022 09:40:37.696440935 CEST	53	65358	8.8.8.8	192.168.2.3
Jul 18, 2022 09:40:37.949901104 CEST	53	53802	8.8.8.8	192.168.2.3
Jul 18, 2022 09:40:38.795810938 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:38.796415091 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:38.796649933 CEST	53803	21116	192.168.2.3	18.142.155.14
Jul 18, 2022 09:40:38.797051907 CEST	53803	21116	192.168.2.3	18.142.155.14
Jul 18, 2022 09:40:38.797715902 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.798043966 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:38.937630892 CEST	21116	49875	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.937705040 CEST	21116	49875	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:38.988236904 CEST	21116	53803	18.142.155.14	192.168.2.3
Jul 18, 2022 09:40:38.988276005 CEST	21116	53803	18.142.155.14	192.168.2.3
Jul 18, 2022 09:40:40.579435110 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:41.183144093 CEST	65266	53	192.168.2.3	8.8.8.8
Jul 18, 2022 09:40:42.192703962 CEST	65266	53	192.168.2.3	8.8.8.8
Jul 18, 2022 09:40:42.192712069 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:42.511599064 CEST	53	65266	8.8.8.8	192.168.2.3
Jul 18, 2022 09:40:42.513343096 CEST	65267	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:42.517911911 CEST	53	65266	8.8.8.8	192.168.2.3
Jul 18, 2022 09:40:42.882852077 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:43.712594032 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:45.705883026 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:46.706065893 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:47.756459951 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:48.934834957 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:50.706418037 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:51.709974051 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:52.650839090 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:40:52.788225889 CEST	21116	49875	216.128.140.17	192.168.2.3
Jul 18, 2022 09:40:53.707822084 CEST	53803	21116	192.168.2.3	18.142.155.14
Jul 18, 2022 09:40:53.708132029 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:53.897293091 CEST	21116	53803	18.142.155.14	192.168.2.3
Jul 18, 2022 09:40:54.709362984 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:56.706908941 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:57.707562923 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:40:59.707273006 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:01.708034992 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:02.715959072 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:04.708173990 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:06.632618904 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:41:06.772613049 CEST	21116	49875	216.128.140.17	192.168.2.3
Jul 18, 2022 09:41:06.890470982 CEST	53803	21116	192.168.2.3	18.142.155.14
Jul 18, 2022 09:41:06.890902996 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:07.083113909 CEST	21116	53803	18.142.155.14	192.168.2.3
Jul 18, 2022 09:41:08.709005117 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:10.709542036 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:12.708554983 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:13.708758116 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:14.709007978 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:16.708770037 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:17.713924885 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:19.708923101 CEST	53803	21116	192.168.2.3	18.142.155.14
Jul 18, 2022 09:41:19.709672928 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:19.898333073 CEST	21116	53803	18.142.155.14	192.168.2.3
Jul 18, 2022 09:41:20.630866051 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:41:20.710242987 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:20.771970034 CEST	21116	49875	216.128.140.17	192.168.2.3
Jul 18, 2022 09:41:22.822770119 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:24.710086107 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:25.710638046 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:26.712903023 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:27.716039896 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:29.718981028 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:31.713702917 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:33.709945917 CEST	53803	21116	192.168.2.3	18.142.155.14
Jul 18, 2022 09:41:33.710289955 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:33.902298927 CEST	21116	53803	18.142.155.14	192.168.2.3
Jul 18, 2022 09:41:34.635514975 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:41:34.711777925 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:34.772650957 CEST	21116	49875	216.128.140.17	192.168.2.3
Jul 18, 2022 09:41:36.739021063 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:38.713862896 CEST	53804	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:38.738194942 CEST	52096	53	192.168.2.3	8.8.8.8
Jul 18, 2022 09:41:39.166613102 CEST	53	52096	8.8.8.8	192.168.2.3
Jul 18, 2022 09:41:40.723932981 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:42.720982075 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:44.711534977 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:45.713450909 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:47.634097099 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:41:47.723354101 CEST	53803	21116	192.168.2.3	18.142.155.14
Jul 18, 2022 09:41:47.723845959 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:47.771825075 CEST	21116	49875	216.128.140.17	192.168.2.3
Jul 18, 2022 09:41:47.914808035 CEST	21116	53803	18.142.155.14	192.168.2.3
Jul 18, 2022 09:41:49.811434984 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:51.711630106 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:52.712619066 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:53.712558985 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:54.716659069 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:55.724428892 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:57.725301027 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:41:59.712649107 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:00.649910927 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:42:00.713325977 CEST	53803	21116	192.168.2.3	18.142.155.14
Jul 18, 2022 09:42:00.713649035 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:00.787333012 CEST	21116	49875	216.128.140.17	192.168.2.3
Jul 18, 2022 09:42:00.904776096 CEST	21116	53803	18.142.155.14	192.168.2.3
Jul 18, 2022 09:42:02.712943077 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:03.713531017 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:04.717566967 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:06.736500025 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:08.713016987 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:09.713285923 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:10.752793074 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:12.765280962 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:13.802364111 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:42:13.802495956 CEST	53803	21116	192.168.2.3	18.142.155.14
Jul 18, 2022 09:42:13.802809000 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:13.940463066 CEST	21116	49875	216.128.140.17	192.168.2.3
Jul 18, 2022 09:42:13.991883993 CEST	21116	53803	18.142.155.14	192.168.2.3
Jul 18, 2022 09:42:15.713799000 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:17.714076042 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:18.715347052 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:20.714323997 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:21.714998960 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:23.714257956 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:24.714621067 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:25.719077110 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:27.668524981 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:42:27.722794056 CEST	53803	21116	192.168.2.3	18.142.155.14
Jul 18, 2022 09:42:27.725244999 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:27.810882092 CEST	21116	49875	216.128.140.17	192.168.2.3
Jul 18, 2022 09:42:27.916810036 CEST	21116	53803	18.142.155.14	192.168.2.3
Jul 18, 2022 09:42:29.712863922 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:30.759680986 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:32.716270924 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:33.716691017 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:35.715704918 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:37.715677977 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:38.716774940 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:39.716394901 CEST	52097	21116	192.168.2.3	124.70.161.173
Jul 18, 2022 09:42:39.745289087 CEST	64412	53	192.168.2.3	8.8.8.8
Jul 18, 2022 09:42:40.060553074 CEST	53	64412	8.8.8.8	192.168.2.3
Jul 18, 2022 09:42:40.637818098 CEST	49875	21116	192.168.2.3	216.128.140.17
Jul 18, 2022 09:42:40.775604010 CEST	21116	49875	216.128.140.17	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 18, 2022 09:40:42.518100977 CEST	192.168.2.3	8.8.8.8	d005	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 18, 2022 09:40:37.353171110 CEST	192.168.2.3	8.8.8.8	0xf1e8	Standard query (0)	rs-ny.rustdesk.com	A (IP address)	IN (0x0001)
Jul 18, 2022 09:40:37.355880976 CEST	192.168.2.3	8.8.8.8	0xbae9	Standard query (0)	rs-cn.rustdesk.com	A (IP address)	IN (0x0001)
Jul 18, 2022 09:40:37.357700109 CEST	192.168.2.3	8.8.8.8	0x75f5	Standard query (0)	rs-sg.rustdesk.com	A (IP address)	IN (0x0001)
Jul 18, 2022 09:40:37.655813932 CEST	192.168.2.3	8.8.8.8	0x266d	Standard query (0)	rs-ny.rustdesk.com	A (IP address)	IN (0x0001)
Jul 18, 2022 09:40:41.183144093 CEST	192.168.2.3	8.8.8.8	0x147f	Standard query (0)	rs-ny.rustdesk.com	A (IP address)	IN (0x0001)
Jul 18, 2022 09:40:42.192703962 CEST	192.168.2.3	8.8.8.8	0x147f	Standard query (0)	rs-ny.rustdesk.com	A (IP address)	IN (0x0001)
Jul 18, 2022 09:41:38.738194942 CEST	192.168.2.3	8.8.8.8	0x52f0	Standard query (0)	rs-cn.rustdesk.com	A (IP address)	IN (0x0001)
Jul 18, 2022 09:42:39.745289087 CEST	192.168.2.3	8.8.8.8	0x1147	Standard query (0)	rs-cn.rustdesk.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 18, 2022 09:40:37.593882084 CEST	8.8.8.8	192.168.2.3	0xf1e8	No error (0)	rs-ny.rustdesk.com	216.128.140.17	A (IP address)	IN (0x0001)
Jul 18, 2022 09:40:37.678107023 CEST	8.8.8.8	192.168.2.3	0x75f5	No error (0)	rs-sg.rustdesk.com	18.142.155.14	A (IP address)	IN (0x0001)
Jul 18, 2022 09:40:37.696440935 CEST	8.8.8.8	192.168.2.3	0xbae9	No error (0)	rs-cn.rustdesk.com	124.70.161.173	A (IP address)	IN (0x0001)
Jul 18, 2022 09:40:37.949901104 CEST	8.8.8.8	192.168.2.3	0x266d	No error (0)	rs-ny.rustdesk.com	216.128.140.17	A (IP address)	IN (0x0001)
Jul 18, 2022 09:40:42.511599064 CEST	8.8.8.8	192.168.2.3	0x147f	No error (0)	rs-ny.rustdesk.com	216.128.140.17	A (IP address)	IN (0x0001)
Jul 18, 2022 09:40:42.517911911 CEST	8.8.8.8	192.168.2.3	0x147f	No error (0)	rs-ny.rustdesk.com	216.128.140.17	A (IP address)	IN (0x0001)
Jul 18, 2022 09:41:39.166613102 CEST	8.8.8.8	192.168.2.3	0x52f0	No error (0)	rs-cn.rustdesk.com	124.70.161.173	A (IP address)	IN (0x0001)
Jul 18, 2022 09:42:40.060553074 CEST	8.8.8.8	192.168.2.3	0x1147	No error (0)	rs-cn.rustdesk.com	124.70.161.173	A (IP address)	IN (0x0001)

Statistics

CPU Usage

• rustdesk-1.1.9.exe

Click to jump to process

Memory Usage

• rustdesk-1.1.9.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	09:40:33
Start date:	18/07/2022
Path:	C:\Users\user\Desktop\rustdesk-1.1.9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\rustdesk-1.1.9.exe"
Imagebase:	0x7ff66d750000
File size:	15250920 bytes
MD5 hash:	6784BE19A5F870544C8E564C768EFF23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rustdesk-1.1.9.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(10)_1658168196141441100

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(11)_1658168197035800500

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(11)_1658168198729737500

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(12)_1658168198017147900

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(12)_1658168198238520800

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(14)_1658168195748594800

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.6508_ThreadId(14)_1658168200751260800

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk.toml (copy)

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk2.6508_ThreadId(12)_1658168197681624500

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk2.6508_ThreadId(23)_1658168197062885000

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk2.6508_ThreadId(9)_1658168195468795400

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk2.toml (copy)

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk_local.6508_ThreadId(1)_1658168196121425800

C:\Users\user\AppData\Roaming\RustDesk\config\RustDesk_local.toml (copy)

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
rustdesk-1.1.9.exe