fc20fd159eea217fa8ba30309aef177ec00913007f42b325e6b7dd1f21a2f245

Resubmissions

21-09-2024 21:49

240921-1pvsmswbnc 7

21-09-2024 21:49

240921-1pnpbswbmd 1

21-09-2024 21:49

240921-1pbd1awbkd 1

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-uk
resource tags

arch:x64arch:x86image:win10v2004-20240802-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
21-09-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rustdesk-1.3.1-x86_64.exe
Size

20.8MB
MD5

141be4755517fc72c9bb3bc4efaadbfb
SHA1

e460a4fe639730302d8718ff6d5f2b679b6502e6
SHA256

fc20fd159eea217fa8ba30309aef177ec00913007f42b325e6b7dd1f21a2f245
SHA512

4f223cda176d974882bb0647b2e32a90d3cd6fb5595423dda1fb442966977aa3e42c47a9c711bd36c8f1ba345ff596755c2ffcdcbdcd55f1940330239d2e322a
SSDEEP

393216:xWgm1PDyiqYWl07NAJkdzs297RK5OYyDCy8EVJNuVMTkD4A:xjm1Lytsae5I/ANuS8r

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	rustdesk.exe

Executes dropped EXE 6 IoCs

pid	Process
4640	rustdesk.exe
532	rustdesk.exe
2844	rustdesk.exe
4564	rustdesk.exe
4332	rustdesk.exe
5680	rustdesk.exe

Loads dropped DLL 64 IoCs

pid	Process
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
2844	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4564	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3208	icacls.exe
2428	icacls.exe

Enumerates processes with tasklist 1 TTPs 36 IoCs

discovery

Process Discovery

T1057

pid	Process
5332	tasklist.exe
3004	tasklist.exe
4424	tasklist.exe
5732	tasklist.exe
5180	tasklist.exe
4364	tasklist.exe
4428	tasklist.exe
5952	tasklist.exe
5480	tasklist.exe
6108	tasklist.exe
5136	tasklist.exe
5636	tasklist.exe
4592	tasklist.exe
5380	tasklist.exe
6116	tasklist.exe
4428	tasklist.exe
5324	tasklist.exe
3768	tasklist.exe
5448	tasklist.exe
320	tasklist.exe
5660	tasklist.exe
4164	tasklist.exe
5164	tasklist.exe
2416	tasklist.exe
5056	tasklist.exe
5980	tasklist.exe
6064	tasklist.exe
3116	tasklist.exe
5624	tasklist.exe
5984	tasklist.exe
5196	tasklist.exe
4480	tasklist.exe
6012	tasklist.exe
5980	tasklist.exe
4216	tasklist.exe
6108	tasklist.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\rustdesk_rCURRENT.log	rustdesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
1716	taskkill.exe
2872	taskkill.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
4332	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
5680	rustdesk.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4640	rustdesk.exe
532	rustdesk.exe
532	rustdesk.exe
4564	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe
4640	rustdesk.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	532	rustdesk.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: 33	3516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3516	AUDIODG.EXE
Token: SeDebugPrivilege	5180	tasklist.exe
Token: SeDebugPrivilege	5332	tasklist.exe
Token: SeDebugPrivilege	5480	tasklist.exe
Token: SeDebugPrivilege	5624	tasklist.exe
Token: SeDebugPrivilege	5980	tasklist.exe
Token: SeDebugPrivilege	6108	tasklist.exe
Token: SeDebugPrivilege	5136	tasklist.exe
Token: SeDebugPrivilege	3004	tasklist.exe
Token: SeDebugPrivilege	5056	tasklist.exe
Token: SeDebugPrivilege	5448	tasklist.exe
Token: SeDebugPrivilege	320	tasklist.exe
Token: SeDebugPrivilege	5660	tasklist.exe
Token: SeDebugPrivilege	5984	tasklist.exe
Token: SeDebugPrivilege	6116	tasklist.exe
Token: SeDebugPrivilege	5196	tasklist.exe
Token: SeDebugPrivilege	4216	tasklist.exe
Token: SeDebugPrivilege	4480	tasklist.exe
Token: SeDebugPrivilege	4164	tasklist.exe
Token: SeDebugPrivilege	5636	tasklist.exe
Token: SeDebugPrivilege	5980	tasklist.exe
Token: SeDebugPrivilege	6108	tasklist.exe
Token: SeDebugPrivilege	5164	tasklist.exe
Token: SeDebugPrivilege	4592	tasklist.exe
Token: SeDebugPrivilege	4424	tasklist.exe
Token: SeDebugPrivilege	5732	tasklist.exe
Token: SeDebugPrivilege	6012	tasklist.exe
Token: SeDebugPrivilege	6064	tasklist.exe
Token: SeDebugPrivilege	4364	tasklist.exe
Token: SeDebugPrivilege	4428	tasklist.exe
Token: SeDebugPrivilege	3116	tasklist.exe
Token: SeDebugPrivilege	5952	tasklist.exe
Token: SeDebugPrivilege	5380	tasklist.exe
Token: SeDebugPrivilege	2416	tasklist.exe
Token: SeDebugPrivilege	4428	tasklist.exe
Token: SeDebugPrivilege	3768	tasklist.exe
Token: SeDebugPrivilege	5324	tasklist.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4640	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
5680	rustdesk.exe
5680	rustdesk.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4640	rustdesk.exe
4640	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
4332	rustdesk.exe
5680	rustdesk.exe
5680	rustdesk.exe
5680	rustdesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 1716	2660	rustdesk-1.3.1-x86_64.exe	82
PID 2660 wrote to memory of 1716	2660	rustdesk-1.3.1-x86_64.exe	82
PID 2660 wrote to memory of 4640	2660	rustdesk-1.3.1-x86_64.exe	85
PID 2660 wrote to memory of 4640	2660	rustdesk-1.3.1-x86_64.exe	85
PID 4640 wrote to memory of 2428	4640	rustdesk.exe	86
PID 4640 wrote to memory of 2428	4640	rustdesk.exe	86
PID 4640 wrote to memory of 3208	4640	rustdesk.exe	87
PID 4640 wrote to memory of 3208	4640	rustdesk.exe	87
PID 4640 wrote to memory of 532	4640	rustdesk.exe	90
PID 4640 wrote to memory of 532	4640	rustdesk.exe	90
PID 4640 wrote to memory of 2832	4640	rustdesk.exe	91
PID 4640 wrote to memory of 2832	4640	rustdesk.exe	91
PID 4640 wrote to memory of 2844	4640	rustdesk.exe	92
PID 4640 wrote to memory of 2844	4640	rustdesk.exe	92
PID 2832 wrote to memory of 2872	2832	cmd.exe	96
PID 2832 wrote to memory of 2872	2832	cmd.exe	96
PID 4640 wrote to memory of 4332	4640	rustdesk.exe	105
PID 4640 wrote to memory of 4332	4640	rustdesk.exe	105
PID 4640 wrote to memory of 5132	4640	rustdesk.exe	108
PID 4640 wrote to memory of 5132	4640	rustdesk.exe	108
PID 5132 wrote to memory of 5180	5132	cmd.exe	110
PID 5132 wrote to memory of 5180	5132	cmd.exe	110
PID 5132 wrote to memory of 5188	5132	cmd.exe	111
PID 5132 wrote to memory of 5188	5132	cmd.exe	111
PID 4640 wrote to memory of 5284	4640	rustdesk.exe	112
PID 4640 wrote to memory of 5284	4640	rustdesk.exe	112
PID 5284 wrote to memory of 5332	5284	cmd.exe	114
PID 5284 wrote to memory of 5332	5284	cmd.exe	114
PID 5284 wrote to memory of 5340	5284	cmd.exe	115
PID 5284 wrote to memory of 5340	5284	cmd.exe	115
PID 4640 wrote to memory of 5432	4640	rustdesk.exe	116
PID 4640 wrote to memory of 5432	4640	rustdesk.exe	116
PID 5432 wrote to memory of 5480	5432	cmd.exe	118
PID 5432 wrote to memory of 5480	5432	cmd.exe	118
PID 5432 wrote to memory of 5488	5432	cmd.exe	119
PID 5432 wrote to memory of 5488	5432	cmd.exe	119
PID 4640 wrote to memory of 5576	4640	rustdesk.exe	120
PID 4640 wrote to memory of 5576	4640	rustdesk.exe	120
PID 5576 wrote to memory of 5624	5576	cmd.exe	122
PID 5576 wrote to memory of 5624	5576	cmd.exe	122
PID 5576 wrote to memory of 5632	5576	cmd.exe	123
PID 5576 wrote to memory of 5632	5576	cmd.exe	123
PID 4640 wrote to memory of 5680	4640	rustdesk.exe	124
PID 4640 wrote to memory of 5680	4640	rustdesk.exe	124
PID 4640 wrote to memory of 5932	4640	rustdesk.exe	125
PID 4640 wrote to memory of 5932	4640	rustdesk.exe	125
PID 5932 wrote to memory of 5980	5932	cmd.exe	127
PID 5932 wrote to memory of 5980	5932	cmd.exe	127
PID 5932 wrote to memory of 5988	5932	cmd.exe	128
PID 5932 wrote to memory of 5988	5932	cmd.exe	128
PID 4640 wrote to memory of 6060	4640	rustdesk.exe	129
PID 4640 wrote to memory of 6060	4640	rustdesk.exe	129
PID 6060 wrote to memory of 6108	6060	cmd.exe	131
PID 6060 wrote to memory of 6108	6060	cmd.exe	131
PID 6060 wrote to memory of 6116	6060	cmd.exe	132
PID 6060 wrote to memory of 6116	6060	cmd.exe	132
PID 4640 wrote to memory of 5196	4640	rustdesk.exe	133
PID 4640 wrote to memory of 5196	4640	rustdesk.exe	133
PID 5196 wrote to memory of 5136	5196	cmd.exe	135
PID 5196 wrote to memory of 5136	5196	cmd.exe	135
PID 5196 wrote to memory of 5164	5196	cmd.exe	136
PID 5196 wrote to memory of 5164	5196	cmd.exe	136
PID 4640 wrote to memory of 3884	4640	rustdesk.exe	137
PID 4640 wrote to memory of 3884	4640	rustdesk.exe	137

C:\Users\Admin\AppData\Local\Temp\rustdesk-1.3.1-x86_64.exe
"C:\Users\Admin\AppData\Local\Temp\rustdesk-1.3.1-x86_64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RuntimeBroker_rustdesk.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
  "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\system32\icacls.exe
    "icacls" C:\ProgramData\RustDesk /grant *S-1-1-0:(OI)(CI)F /T
    3⤵
    - Modifies file permissions
    PID:2428
- - C:\Windows\system32\icacls.exe
    "icacls" C:\ProgramData\RustDesk\shared_memory_portable_service /grant *S-1-1-0:(OI)(CI)F /T
    3⤵
    - Modifies file permissions
    PID:3208
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --portable-service
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:532
  - - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
      "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --run-as-system
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:4564
- - C:\Windows\system32\cmd.exe
    "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM RuntimeBroker_rustdesk.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2872
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --check-hwcodec-config
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2844
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --cm
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4332
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5132
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5180
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5188
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5284
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5332
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5340
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5432
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5480
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5488
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5576
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5624
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5632
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --cm
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5680
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5932
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5980
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5988
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6060
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6108
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:6116
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5196
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5136
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5164
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:3884
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3004
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:8
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:4424
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5056
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:772
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5324
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5448
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:3472
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5476
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:2260
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5744
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5660
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5640
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5612
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5984
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5980
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:6076
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6116
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:6084
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5296
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5196
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5176
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:4904
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4216
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:1460
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:4332
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4480
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5316
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5324
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4164
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5588
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5548
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5636
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5660
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5948
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5980
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:6020
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:6132
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6108
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5152
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5188
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5164
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:1496
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:1176
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4592
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:1728
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5496
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4424
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:4304
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:4164
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5732
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5736
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5624
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6012
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:6016
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:6136
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6064
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:6132
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5164
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4364
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5352
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:840
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4428
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:3188
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5496
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3116
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5748
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5324
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5952
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5980
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:6004
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5380
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:6088
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:6108
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2416
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:776
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:3220
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4428
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:3188
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:1932
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3768
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:3440
- - C:\Windows\system32\cmd.exe
    "cmd" /C "tasklist | findstr consent.exe"
    3⤵
    PID:5584
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5324
  - - C:\Windows\system32\findstr.exe
      findstr consent.exe
      4⤵
      PID:5964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x394
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RustDesk\shared_memory_portable_service

Filesize
23B

MD5
8e5101dfd9eeda884a9d10c2df29c310

SHA1
8c56d7d4570eebffe40536e402432ee0657b4dea

SHA256
f86612d8e1e75b2884616e8a0b6a97d870685a58fe7b58d1ae2191d86ca98976

SHA512
1d04fa5369fbd7ed7fc4470fba9f618855450b8bc65e53d97524beff00474b60b620c265f9c3d5c47cd372692aae15a092483381260856451fee0cc5d55f172b

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\app.so

Filesize
11.9MB

MD5
0137d26bdb7328ef0665582699b31461

SHA1
9d8d39516c7b5085e159ff06ff9af63838f27f24

SHA256
690a5c2802c952c1c1fc846a3c96cd029de648e97606d3451807c05d1ffe2bfd

SHA512
4f802c2766785fe03c33a0da9ac81e6795c0946caf27589aace752ae43cb518f681677edb9b0c93899be102ca41aa858a212ff925b4920bbaea552c6fcda53be

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\icudtl.dat

Filesize
798KB

MD5
da48e432fe61f451154f0715b2a7b174

SHA1
51b6add0bbc4e0b5200b01deca5d009f1daf9f39

SHA256
65ea729083128dfce1c00726ba932b91aaaf5e48736b5644dd37478e5f2875ac

SHA512
5af9c1e43b52536272a575ca400a9eee830a8fcecb83bb1a490515851bef48957d8de669b9f77b8614eb586838af23385e1afce622edb82a90ec7549f882d381

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\desktop_drop_plugin.dll

Filesize
316KB

MD5
ea772698fa6169aa5e68d74ba947a6ba

SHA1
3f9b0a8da21945dd9f27436b3af60c64f7340d36

SHA256
77485880ea8b85bef96439de30eb409831adb74e7c39fe07332657ca2829c789

SHA512
069e9dfedc477a407acf9270a886884aeeb50327aa2bc340cab517b2314d6dbca2c712b3b7a9a669a471886d3188d9cea3229e6771b9949f8f7c50186727eb63

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\desktop_multi_window_plugin.dll

Filesize
391KB

MD5
2c3eab74536dfb70d8d990b09343685b

SHA1
40187d865137f49e27ed832c4b8b624dfae44851

SHA256
fc81d07d452aff704fae1b0ee2246fb8692bdf8ad0cb20e528d73cc576be0e4c

SHA512
cc3400275680b09f59cfdc3cd276f6afc27f4191b9c93515ae24908e825ebefe0ac13e027845e25cd3779685c49a41516ed2190108d836aa909ed05dae570e5d

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\file_selector_windows_plugin.dll

Filesize
340KB

MD5
94d93801a592b1771f6a9f2aecaeb295

SHA1
db95a4622a8223beaa1a519b00131a108fe776b6

SHA256
92046e216841a3cb533d62e74463ef31b0201e8c6bfe86e698a9708f9a101853

SHA512
0034e63fb445f1cd5a0aa51766105fb702469d784332ffa1b93b1d4d815b049e0550d5556e547c336bd5ea9e4d962ea18f9faeb9ef3abd18dd9452e2c8ad419d

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dll

Filesize
308KB

MD5
05e0c5d98e60a6c9cf046b6d685784fc

SHA1
3596279d829ea057af11c5092fe26abd9074b08a

SHA256
988918da0b4aaf2b7e6fadd422dea34b6c9753109289195c63425b263e8c3bb8

SHA512
a4d53490b47bf6e34d0b129672c37d3aff1527e9fda2c7bb1b707229ac947a0528304a68d82c7bb668310294ca33010a950a051cc61de417731c6124e35bcff1

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_gpu_texture_renderer_plugin.dll

Filesize
339KB

MD5
9042c38a7c9e19f62424be56d2df4034

SHA1
198483afa1bf494d354a4c0ac730672bd6b347f1

SHA256
a34f4f7c51b97c2f23459e1fe4eba9c64aee2d891a7a87c5d516fcd05187651e

SHA512
ac6fffd419b5b280eeb5c2e475ef07d42a8a2bbcd8ae1554e5e18ec56ab091bdeb1119ea2309b6ec178d2a43b0ddfa09552967f8ad3e451367c9e36213d45cdc

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_windows.dll

Filesize
17.2MB

MD5
751485cb3e17775d24beff211ead4b95

SHA1
a9819e44e05d375b9c1aa5b155681eb3f243b1af

SHA256
b72c3bfd095ab305114599b4b5bc611499c085247ba9f5dab7a366d791d21a25

SHA512
b026565660a19c5ad3b098eb74307d756b6d09e90ce26eb8b3bb5a579a996f0bf4c991bf575c8c5363d0cb0e68fa57b2294c044d35b4f88b542edd8ee4d02278

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\librustdesk.dll

Filesize
28.9MB

MD5
03b2dde092f5ed1aef5b393448457421

SHA1
c85b91d08ae9325c8d16c74900ce185b620378e3

SHA256
ace05fcf9eb002be7d2dbdb5fad135610428344b15c722f38b136e84f5a36ac1

SHA512
4773951a702e90af7e42bde251f3504f1d0123d71ddc184c50c0a40e5a3c631cd792c6bfcab337be9631756d34ef4212d9a863cb6e551558b764ce368ea018bc

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe

Filesize
260KB

MD5
b720a786b6b1d86cde5d20075cfaa80d

SHA1
8b59f7f0929f596b5d110757b996bee45e914e64

SHA256
402bd9766da3101a56a0be1f730760f1429d006b2b664322f9b5f010b0e0c887

SHA512
27a152818ee6ce970e8dff791d1d1c8e4785f87232a077ff029a55aa44b9c27b210d7f1c0bf8da5c89a12f9dcbbba90c5225bd7e7e4de5a3deaf10f017d224fd

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\screen_retriever_plugin.dll

Filesize
535KB

MD5
b8b4285c90991d268c0e2e64a84239d9

SHA1
7001ef4df83b0fa5e195159e2415c6f2dde1465e

SHA256
3f128268915493aaafbccfcd4f1c342c4f74548260857099fc469d7237a0a61f

SHA512
a5166d55641f8a49a9c1b9557549e4953e4b42f632a9e0aa82b82fb64a7d7a97b425ce2d7a0ff3d8ec70d094d917e92e133c3f140d3051019d2ee84843912dfa

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\texture_rgba_renderer_plugin.dll

Filesize
318KB

MD5
a3c631f16f5a757e90a77439b71cd66a

SHA1
5f54fb7db791f2a12188b8d6eb8409a7f92735aa

SHA256
e254e9eec315ee75a49a7c8c64f6f84824ef1987d700acee3f82fc6c533e0df4

SHA512
821c8af5d7686cdaecc7afbc692b7ef22e36944554c58b919cad636a05c12c875b27a1bc227d766692cbbb7aa19145b669335360d8b792619e09265dbd55e35a

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\uni_links_desktop_plugin.dll

Filesize
533KB

MD5
376649d042211c8cb0ac44b5e6903cf4

SHA1
e3103b66352a8b138fa9a7d4c2c906a9f65c0719

SHA256
ba4ae2b2d47bf50ed4fe246c4ca2a2421b4bba813bf5f86b4edf4f24feb00f4b

SHA512
55e28fb26df7beff3bc06792a33246804cee28c61cb7d6ec263bf4e13856e3ab05e7c88f84bd11df948d85eb63344a8b5b02d45c0f1db0fdb2600ec0dd1b4117

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\url_launcher_windows_plugin.dll

Filesize
318KB

MD5
4cae4f585209718154c46af73af1fe70

SHA1
56278b0e5779bbbfc77e0d86060ef42406d3bf24

SHA256
d2cda4598f2733f4341b91a78612f9598762d1d69ef36d5b0df4adea8649af3e

SHA512
c818794ae58290b699258de812370f2b199dab5a6bcb346793b4266f5a023fe15e32760966c12e18b8d3fab3a3b8bba2bef6b751c0e54c63448203128faa2b82

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\window_manager_plugin.dll

Filesize
578KB

MD5
4255c58bc699f6ac7c8b096805d23666

SHA1
94bdfb6fcd1b4004c10d79f2b054a22678df10fd

SHA256
944bd554957680277b649f9eb87af9335737aba31b0b4457f027c8933bd10ffa

SHA512
ffa4643154938663aa70cc020733704c69e6f31de5d2389bf495fdb2d9daa778fe59f6a429169422d615cca0fbab7a6023ec0b29d297f076cc20e57b2f9403d4

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\window_size_plugin.dll

Filesize
529KB

MD5
fe623217cab7bad77736461a9634af9c

SHA1
4e51b7460016137c0ceeb9158dd730cce2dcee09

SHA256
4113a493ff58578dbc1e867b23363289c3de3f4592009a2976e350b76f4648de

SHA512
b57a07c1e14d9a307d94c0ac6b92594dc7c25fd5069f9bcc62844f5fa1c11a290bfbd6850b5374875c03936a86f87385db65ebea508c3c7a6ec3609b7bb33d13

Download Submit
memory/4640-141-0x0000026B0C5B0000-0x0000026B0C5B1000-memory.dmp

Filesize
4KB

Download
memory/4640-139-0x0000026B0C6F0000-0x0000026B0D2DD000-memory.dmp

Filesize
11.9MB

Download
memory/4640-140-0x0000026B0C6F0000-0x0000026B0D2DD000-memory.dmp

Filesize
11.9MB

Download
memory/4640-138-0x0000026B0C6F0000-0x0000026B0D2DD000-memory.dmp

Filesize
11.9MB

Download
memory/4640-137-0x0000026B0C570000-0x0000026B0C571000-memory.dmp

Filesize
4KB

Download