Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 10, 2024, 1:37 p.m.	July 10, 2024, 1:42 p.m.

Size	16.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`05d5f32d7a756924b7480ea0e3a36152`
SHA256	`9b329986ce56b37886d57c617b064ddf3d771cc939890da4a55df3d173649864`
CRC32	`ED60CC6F`
ssdeep	`393216:FsFJTKV+DV4+Dlm+I4bix/dfFBqEIDBvVj:yJT8+h4Om+bix/dfz8hVj`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

rustdesk.exe "C:\Users\test22\AppData\Local\Temp\rustdesk.exe"
1616
- rustdesk-host=sehub.nl,key=SecureRustDesk.exe "C:\Users\test22\AppData\Local\Temp\RarSFX0\rustdesk-host=sehub.nl,key=SecureRustDesk.exe"
  2108
  - rustdesk.exe "C:\Users\test22\AppData\Local\rustdesk\.\rustdesk.exe"
    2164
    - icacls.exe "icacls" C:\ProgramData\RustDesk /grant Everyone:(OI)(CI)F /T
      2220
    - icacls.exe "icacls" C:\ProgramData\RustDesk\shared_memory_portable_service /grant Everyone:(OI)(CI)F /T
      2268
    - rustdesk.exe "C:\Users\test22\AppData\Local\rustdesk\rustdesk.exe" --portable-service
      2480

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 10, 2024, 1:30 p.m.			0	0

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 10, 2024, 1:29 p.m.	buffer: processed file: C:\ProgramData\RustDesk console_handle: 0x0000000000000007	1	1
WriteConsoleW July 10, 2024, 1:29 p.m.	buffer: processed file: C:\ProgramData\RustDesk\shared_memory_portable_service console_handle: 0x0000000000000007	1	1
WriteConsoleW July 10, 2024, 1:29 p.m.	buffer: Successfully processed 2 files; Failed processing 0 files console_handle: 0x0000000000000007	1	1
WriteConsoleW July 10, 2024, 1:29 p.m.	buffer: processed file: C:\ProgramData\RustDesk\shared_memory_portable_service console_handle: 0x0000000000000007	1	1
WriteConsoleW July 10, 2024, 1:29 p.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x0000000000000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 10, 2024, 1:29 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Creates executable files on the filesystem (15 events)

file	C:\Users\test22\AppData\Local\rustdesk\data\flutter_assets\packages\wakelock_web\assets\no_sleep.js
file	C:\Users\test22\AppData\Local\rustdesk\uni_links_desktop_plugin.dll
file	C:\Users\test22\AppData\Local\rustdesk\desktop_multi_window_plugin.dll
file	C:\Users\test22\AppData\Local\rustdesk\dylib_virtual_display.dll
file	C:\Users\test22\AppData\Local\rustdesk\WindowInjection.dll
file	C:\Users\test22\AppData\Local\rustdesk\flutter_windows.dll
file	C:\Users\test22\AppData\Local\rustdesk\window_size_plugin.dll
file	C:\Users\test22\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dll
file	C:\Users\test22\AppData\Local\rustdesk\librustdesk.dll
file	C:\Users\test22\AppData\Local\rustdesk\url_launcher_windows_plugin.dll
file	C:\Users\test22\AppData\Local\rustdesk\window_manager_plugin.dll
file	C:\Users\test22\AppData\Local\rustdesk\screen_retriever_plugin.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\rustdesk-host=sehub.nl,key=SecureRustDesk.exe
file	C:\Users\test22\AppData\Local\rustdesk\rustdesk.exe
file	C:\Users\test22\AppData\Local\rustdesk\desktop_drop_plugin.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 10, 2024, 1:30 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\rustdesk\.\rustdesk.exe parameters: --portable-service filepath: C:\Users\test22\AppData\Local\rustdesk\rustdesk.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW July 10, 2024, 1:30 p.m.	snapshot_handle: 0x000000000000012c process_name: smss.exe process_identifier: 232	1	1
Process32NextW July 10, 2024, 1:30 p.m.	snapshot_handle: 0x000000000000012c process_name: csrss.exe process_identifier: 308	1	1
Process32NextW July 10, 2024, 1:30 p.m.	snapshot_handle: 0x000000000000012c process_name: wininit.exe process_identifier: 344	1	1
Process32NextW July 10, 2024, 1:30 p.m.	snapshot_handle: 0x000000000000012c process_name: csrss.exe process_identifier: 356	1	1
Process32NextW July 10, 2024, 1:30 p.m.	snapshot_handle: 0x000000000000012c process_name: winlogon.exe process_identifier: 392	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 10, 2024, 1:30 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (24 events)

Time & API	Arguments	Return
RegOpenKeyExW July 10, 2024, 1:29 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:29 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:29 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:29 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:29 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:29 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:29 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:29 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1 base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54E86BC2-6C85-41F3-A9EB-1A94AC9B1F93}_is1	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2
RegOpenKeyExW July 10, 2024, 1:30 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk	2

Expresses interest in specific running processes (1 event)

process: potential process injection target

winlogon.exe

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	"icacls" C:\ProgramData\RustDesk /grant Everyone:(OI)(CI)F /T
cmdline	"icacls" C:\ProgramData\RustDesk\shared_memory_portable_service /grant Everyone:(OI)(CI)F /T

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win64.Reflo.tspz
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	Artemis
McAfee	Artemis!05D5F32D7A75
Cylance	Unsafe
Symantec	PUA.Gen.2
ClamAV	Win.Packed.Dapato-10021645-0
Kaspersky	not-a-virus:HEUR:RemoteAdmin.Win64.RustDesk.gen
DrWeb	Trojan.Siggen22.56172
Zillya	Trojan.Generic.Win32.1693826
FireEye	Generic.mg.05d5f32d7a756924
Sophos	Generic Reputation PUA (PUA)
Google	Detected
ZoneAlarm	not-a-virus:HEUR:RemoteAdmin.Win64.RustDesk.gen
Varist	W32/ABApplication.QRVQ-3317
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4206356830
MaxSecure	Trojan.Malware.220265728.susgen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (D)

rustdesk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All