Splashtop-Splashtop Streamer-Remote Session

16 events across 1 channel

Event ID	Title	Channel
1000	A Splashtop remote session (Session_ID) has started to this computer by SPID …	Operational
1001	The Splashtop remote session (Session_ID) has ended.	Operational
1100	A file was transferred during the Splashtop remote session (Session_ID).	Operational
1101	A file was transferred during the Splashtop remote session (Session_ID).	Operational
1110	A file was transferred during the Splashtop remote session (Session_ID).	Operational
1111	A file was transferred during the Splashtop remote session (Session_ID).	Operational
1200	The user SPID enabled blank Screen during the Splashtop remote session …	Operational
1201	The user SPID disabled blank Screen during the Splashtop remote session …	Operational
1300	The user SPID triggered Normal Reboot during the Splashtop remote session …	Operational
1310	The user SPID triggered Safe Mode Reboot during the Splashtop remote session …	Operational
1500	The user SPID enabled Lock Keyboard and Mouse during the Splashtop remote …	Operational
1501	The user SPID disabled Lock Keyboard and Mouse during the Splashtop remote …	Operational
1600	The user SPID has changed to a different session during the Splashtop remote …	Operational
1700	The user SPID enabled Device Redirection during the Splashtop remote session …	Operational
1701	The user SPID disabled Device Redirection during the Splashtop remote session …	Operational
1710	The user SPID enabled Remote Microphone during the Splashtop remote session …	Operational

Event ID 1000 — A Splashtop remote session (Session_ID) has started to this computer by SPID from the device SRC_Name.

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

A Splashtop remote session (Session_ID) has started to this computer by SPID from the device SRC_Name.

Message #

A Splashtop remote session (%1) has started to this computer by %2 from the device %3.

App version: %4

Fields #

Name	Description
`Session_ID` UnicodeString	—
`SPID` UnicodeString	—
`SRC_Name` UnicodeString	—
`Version_number` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1001 — The Splashtop remote session (Session_ID) has ended.

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The Splashtop remote session (Session_ID) has ended. The remote session lasted Duration_Time.

Message #

The Splashtop remote session (%1) has ended. The remote session lasted %2.

App version: %3

Fields #

Name	Description
`Session_ID` UnicodeString	—
`Duration_Time` UnicodeString	—
`Version_number` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1100 — A file was transferred during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

A file was transferred during the Splashtop remote session (Session_ID).

Message #

A file was transferred during the Splashtop remote session (%1).

App version: %2

File name: %3

From: %4 (%5)

To: %6 (%7)

Error code: N/A

Fields #

Name	Description
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—
`File_Name` UnicodeString	—
`SRS_Name` UnicodeString	—
`SRS_Path` UnicodeString	—
`SRC_Name` UnicodeString	—
`SRC_Path` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1101 — A file was transferred during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

A file was transferred during the Splashtop remote session (Session_ID).

Message #

A file was transferred during the Splashtop remote session (%1).

App version: %2

File name: %3

From: %4 (%5)

To: %6 (%7)

Error cod: N/A

Fields #

Name	Description
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—
`File_Name` UnicodeString	—
`SRC_Name` UnicodeString	—
`SRC_Path` UnicodeString	—
`SRS_Name` UnicodeString	—
`SRS_Path` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1110 — A file was transferred during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

A file was transferred during the Splashtop remote session (Session_ID).

Message #

A file was transferred during the Splashtop remote session (%1).

App version: %2

File name: %3

From: %4 (%5)

To: %6 (%7)

Error code: %8

Fields #

Name	Description
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—
`File_Name` UnicodeString	—
`SRS_Name` UnicodeString	—
`SRS_Path` UnicodeString	—
`SRC_Name` UnicodeString	—
`SRC_Path` UnicodeString	—
`Error_code` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1111 — A file was transferred during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

A file was transferred during the Splashtop remote session (Session_ID).

Message #

A file was transferred during the Splashtop remote session (%1).

App version: %2

File name: %3

From: %4 (%5)

To: %6 (%7)

Error code: %8

Fields #

Name	Description
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—
`File_Name` UnicodeString	—
`SRC_Name` UnicodeString	—
`SRC_Path` UnicodeString	—
`SRS_Name` UnicodeString	—
`SRS_Path` UnicodeString	—
`Error_code` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1200 — The user SPID enabled blank Screen during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID enabled blank Screen during the Splashtop remote session (Session_ID).

Message #

The user %1 enabled blank Screen during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString	—
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1201 — The user SPID disabled blank Screen during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID disabled blank Screen during the Splashtop remote session (Session_ID).

Message #

The user %1 disabled blank Screen during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString	—
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1300 — The user SPID triggered Normal Reboot during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID triggered Normal Reboot during the Splashtop remote session (Session_ID).

Message #

The user %1 triggered Normal Reboot during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString	—
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1310 — The user SPID triggered Safe Mode Reboot during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID triggered Safe Mode Reboot during the Splashtop remote session (Session_ID).

Message #

The user %1 triggered Safe Mode Reboot during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString	—
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1500 — The user SPID enabled Lock Keyboard and Mouse during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID enabled Lock Keyboard and Mouse during the Splashtop remote session (Session_ID).

Message #

The user %1 enabled Lock Keyboard and Mouse during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString	—
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1501 — The user SPID disabled Lock Keyboard and Mouse during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID disabled Lock Keyboard and Mouse during the Splashtop remote session (Session_ID).

Message #

The user %1 disabled Lock Keyboard and Mouse during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString	—
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1600 — The user SPID has changed to a different session during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID has changed to a different session during the Splashtop remote session (Session_ID).

Message #

The user %1 has changed to a different session during the Splashtop remote session (%2).

App version: %3

To: %4

Fields #

Name	Description
`SPID` UnicodeString	—
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—
`Terminal_Session_ID` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1700 — The user SPID enabled Device Redirection during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID enabled Device Redirection during the Splashtop remote session (Session_ID).

Message #

The user %1 enabled Device Redirection during the Splashtop remote session (%2).

App version: %3

Source: %4



Device info

Product name: %5 (%6)

Manufacturer: %7 (%8)

Serial number: %9

VendorID: %10

ProductID: %11

Class type: %12 (%13)

Sub-class type: %14 (%15)

Protocol: %16 (%17)

Device version: %18

Usb version: %19

Fields #

Name	Description
`SPID` UnicodeString	—
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—
`Reason` UnicodeString	—
`Product_Name` UnicodeString	—
`Mounted_Product_Name` UnicodeString	—
`Manufacturer` UnicodeString	—
`Mounted_Manufacturer` UnicodeString	—
`Serial_Numver` UnicodeString	—
`Vendor_ID` UnicodeString	—
`Product_ID` UnicodeString	—
`Class_Type` UnicodeString	—
`Mounted_Class_Type` UnicodeString	—
`SubClass_Type` UnicodeString	—
`Mounted_SubClass_Type` UnicodeString	—
`Protocol` UnicodeString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Mounted_Protocol` UnicodeString	—
`Device_Version` UnicodeString	—
`USB_Version` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1701 — The user SPID disabled Device Redirection during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID disabled Device Redirection during the Splashtop remote session (Session_ID).

Message #

The user %1 disabled Device Redirection during the Splashtop remote session (%2).

App version: %3

Source: %4



Device info

Product name: %5 (%6)

Manufacturer: %7 (%8)

Serial number: %9

VendorID: %10

ProductID: %11

Class type: %12 (%13)

Sub-class type: %14 (%15)

Protocol: %16 (%17)

Device version: %18

Usb version: %19

Fields #

Name	Description
`SPID` UnicodeString	—
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—
`Reason` UnicodeString	—
`Product_Name` UnicodeString	—
`Mounted_Product_Name` UnicodeString	—
`Manufacturer` UnicodeString	—
`Mounted_Manufacturer` UnicodeString	—
`Serial_Numver` UnicodeString	—
`Vendor_ID` UnicodeString	—
`Product_ID` UnicodeString	—
`Class_Type` UnicodeString	—
`Mounted_Class_Type` UnicodeString	—
`SubClass_Type` UnicodeString	—
`Mounted_SubClass_Type` UnicodeString	—
`Protocol` UnicodeString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Mounted_Protocol` UnicodeString	—
`Device_Version` UnicodeString	—
`USB_Version` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1710 — The user SPID enabled Remote Microphone during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID enabled Remote Microphone during the Splashtop remote session (Session_ID).

Message #

The user %1 enabled Remote Microphone during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString	—
`Session_ID` UnicodeString	—
`Version_number` UnicodeString	—

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop