| File name: | rustdesk-1.3.8-x86_64.exe |
| Full analysis: | https://app.any.run/tasks/a84e6ed9-7df3-425b-89ea-32f8c8bbeb85 |
| Verdict: | Malicious activity |
| Analysis date: | June 19, 2025, 06:42:01 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | 40406F2CF1CC17AB4EB0AD0B14D3E61E |
| SHA1: | 4DFE46CFC4D09CC81C8296482497C20FA2524B78 |
| SHA256: | 283557E80EE96139C66400B5302B33ACAD09CB00F88333660DB3E1D977ABF9AB |
| SSDEEP: | 196608:a17wVqJ+f2xpPft/NECH6yVl53PQPZeQFwU86CLPzn:Y75JiWfNNEfalsZm6CTzn |
MALICIOUS
RUSTDESK has been detected (SURICATA)
- rustdesk.exe (PID: 5552)
- msedge.exe (PID: 3948)
SUSPICIOUS
Application launched itself
- rustdesk.exe (PID: 5552)
Uses TASKKILL.EXE to kill process
- rustdesk-1.3.8-x86_64.exe (PID: 2976)
- cmd.exe (PID: 7108)
Reads the date of Windows installation
- rustdesk.exe (PID: 5552)
Starts CMD.EXE for commands execution
- rustdesk.exe (PID: 5552)
Reads the Windows owner or organization settings
- rustdesk.exe (PID: 5552)
Executable content was dropped or overwritten
- rustdesk-1.3.8-x86_64.exe (PID: 2976)
Connects to unusual port
- rustdesk.exe (PID: 5552)
The process checks if it is being run in the virtual environment
- rustdesk.exe (PID: 5552)
Reads security settings of Internet Explorer
- rustdesk.exe (PID: 5552)
There is functionality for taking screenshot (YARA)
- rustdesk.exe (PID: 5552)
Process drops legitimate windows executable
- rustdesk-1.3.8-x86_64.exe (PID: 2976)
INFO
Create files in a temporary directory
- rustdesk-1.3.8-x86_64.exe (PID: 2976)
Reads the computer name
- rustdesk-1.3.8-x86_64.exe (PID: 2976)
- rustdesk.exe (PID: 5552)
- rustdesk.exe (PID: 3608)
- identity_helper.exe (PID: 7736)
Creates files or folders in the user directory
- rustdesk.exe (PID: 5552)
- rustdesk.exe (PID: 3608)
- rustdesk-1.3.8-x86_64.exe (PID: 2976)
Checks supported languages
- rustdesk.exe (PID: 5552)
- rustdesk.exe (PID: 3608)
- identity_helper.exe (PID: 7736)
- rustdesk-1.3.8-x86_64.exe (PID: 2976)
Reads Windows Product ID
- rustdesk.exe (PID: 5552)
Reads product name
- rustdesk.exe (PID: 5552)
Reads the machine GUID from the registry
- rustdesk.exe (PID: 5552)
Reads Environment values
- rustdesk.exe (PID: 5552)
- identity_helper.exe (PID: 7736)
Checks proxy server information
- rustdesk.exe (PID: 5552)
- slui.exe (PID: 8140)
Reads the software policy settings
- rustdesk.exe (PID: 5552)
- slui.exe (PID: 8140)
Application launched itself
- msedge.exe (PID: 1688)
- msedge.exe (PID: 2356)
Application based on Rust
- rustdesk.exe (PID: 5552)
The sample compiled with english language support
- rustdesk-1.3.8-x86_64.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:02:22 12:23:59+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.42 |
| CodeSize: | 364032 |
| InitializedDataSize: | 21882880 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x4ab38 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.3.8.0 |
| ProductVersionNumber: | 1.3.8.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| LegalCopyright: | Copyright © 2025 Purslane Ltd. All rights reserved. |
| FileVersion: | 1.3.8 |
| ProductName: | RustDesk |
| ProductVersion: | 1.3.8 |
| FileDescription: | RustDesk Remote Desktop |
| OriginalFileName: | rustdesk.exe |
Total processes
171
Monitored processes
38
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 856 | "taskkill" /F /IM RuntimeBroker_rustdesk.exe | C:\Windows\System32\taskkill.exe | — | rustdesk-1.3.8-x86_64.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1688 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rustdesk.com/download | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | rustdesk.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 1800 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4288,i,3290451991142056716,16314130599599299327,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2356 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://rustdesk.com/download | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | msedge.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2532 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5376,i,3290451991142056716,16314130599599299327,262144 --variations-seed-version --mojo-platform-channel-handle=4516 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2976 | "C:\Users\admin\Desktop\rustdesk-1.3.8-x86_64.exe" | C:\Users\admin\Desktop\rustdesk-1.3.8-x86_64.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: RustDesk Remote Desktop Exit code: 0 Version: 1.3.8 Modules
| |||||||||||||||
| 3608 | "C:\Users\admin\AppData\Local\rustdesk\.\rustdesk.exe" --check-hwcodec-config | C:\Users\admin\AppData\Local\rustdesk\rustdesk.exe | — | rustdesk.exe | |||||||||||
User: admin Company: Purslane Ltd Integrity Level: MEDIUM Description: RustDesk Remote Desktop Exit code: 0 Version: 1.3.8+57 Modules
| |||||||||||||||
| 3676 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3656,i,3290451991142056716,16314130599599299327,262144 --variations-seed-version --mojo-platform-channel-handle=3696 /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 3720 | taskkill /F /IM RuntimeBroker_rustdesk.exe | C:\Windows\System32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3948 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2024,i,3290451991142056716,16314130599599299327,262144 --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:3 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | msedge.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
Total events
12 921
Read events
12 888
Write events
33
Delete events
0
Modification events
| (PID) Process: | (5552) rustdesk.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (5552) rustdesk.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (5552) rustdesk.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (2356) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 1 | |||
| (PID) Process: | (2356) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (1688) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (1688) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (2356) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
| (PID) Process: | (2356) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: 2EB602557D962F00 | |||
| (PID) Process: | (2356) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393926 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {0CC27DF1-6A31-465F-9E36-D1C0C71A19AF} | |||
Executable files
27
Suspicious files
208
Text files
118
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2976 | rustdesk-1.3.8-x86_64.exe | C:\Users\admin\AppData\Local\rustdesk\data\app.so | — | |
MD5:— | SHA256:— | |||
| 2976 | rustdesk-1.3.8-x86_64.exe | C:\Users\admin\AppData\Local\rustdesk\desktop_multi_window_plugin.dll | executable | |
MD5:B5162949F0B7DF66B1ACBAF86B7932E1 | SHA256:9FBE5903AB984FCD8A6495FA6DF07F41B9D53341E57A38193D453DAF8E268E58 | |||
| 2976 | rustdesk-1.3.8-x86_64.exe | C:\Users\admin\AppData\Local\Temp\nwg7271.tmp | text | |
MD5:90FEB8EDF41C48A02D0320766AFE6A4B | SHA256:70C7A70EEDD5B93E686AA0BC81BBA03D2E35228FF05BCDB3CC1EB3756E569B5C | |||
| 2976 | rustdesk-1.3.8-x86_64.exe | C:\Users\admin\AppData\Local\rustdesk\flutter_windows.dll | executable | |
MD5:028135AF3E2D10502D3D8FB5E66C41B3 | SHA256:2079BDDD4AD676D465703DCECE2AFDD3E5FB9233C7CDAB117A9C2E12EF05A9FB | |||
| 2976 | rustdesk-1.3.8-x86_64.exe | C:\Users\admin\AppData\Local\rustdesk\desktop_drop_plugin.dll | executable | |
MD5:2C777896DBFF0C869FC9A97DBDD4D04E | SHA256:83BF832E6BF00FB23A78559BCE812B9B47ED267ED72BDA43DA02095724598F33 | |||
| 2976 | rustdesk-1.3.8-x86_64.exe | C:\Users\admin\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dll | executable | |
MD5:EE79D15755FC648D400647A853274DED | SHA256:84B5DE4863463F7E1FE646A504E0AB3413971C4E9D8974A992857002F9C1780B | |||
| 2976 | rustdesk-1.3.8-x86_64.exe | C:\Users\admin\AppData\Local\rustdesk\window_size_plugin.dll | executable | |
MD5:F2563D5346E45EEF85E9117D616E3CC9 | SHA256:9F59A84990DB081F717818D36DCCA5B16B93A076076C175A3BBCA63465F6FFCD | |||
| 2976 | rustdesk-1.3.8-x86_64.exe | C:\Users\admin\AppData\Local\rustdesk\WindowInjection.dll | executable | |
MD5:16851A831059344DD77C7B35452DB95C | SHA256:A5696481BDDA8D7FB8537EF9465BC2052B40705475D4D66B362FA0532075FE69 | |||
| 2976 | rustdesk-1.3.8-x86_64.exe | C:\Users\admin\AppData\Local\rustdesk\rustdesk.exe | executable | |
MD5:10E9AF5261C516FE9B1A96991E3502B6 | SHA256:B98F52ED46E8E67C1CDED66EDC40DB25FA7230EE292FEED5C9332A72456FD6FA | |||
| 2976 | rustdesk-1.3.8-x86_64.exe | C:\Users\admin\AppData\Local\rustdesk\librustdesk.dll | executable | |
MD5:2B94CCF7734DC5E22822E76E0C7C22AB | SHA256:A32DA9CA5EA5D0B1F7DA5308F55A5A37BB7CF6AB8331798867C03F7F26E3E334 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
213
TCP/UDP connections
107
DNS requests
75
Threats
15
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=51&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1750315347&lafgdate=0 | unknown | binary | 1.47 Kb | whitelisted |
1268 | svchost.exe | GET | 200 | 23.55.104.172:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4844 | RUXIMICS.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4844 | RUXIMICS.exe | GET | 200 | 23.55.104.172:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 150.171.27.11:443 | https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0 | unknown | binary | 863 b | whitelisted |
3948 | msedge.exe | GET | 200 | 150.171.27.11:80 | http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:QWQssbfBk7QgYUDnwQeNWKZPUATRPMTzzYkiHaXCoo4&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 92.123.104.45:443 | https://copilot.microsoft.com/c/api/user/eligibility | unknown | binary | 25 b | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.55.104.172:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.16.241.218:443 | https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json | unknown | binary | 655 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4844 | RUXIMICS.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4844 | RUXIMICS.exe | 23.55.104.172:80 | crl.microsoft.com | Akamai International B.V. | US | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.55.104.172:80 | crl.microsoft.com | Akamai International B.V. | US | whitelisted |
1268 | svchost.exe | 23.55.104.172:80 | crl.microsoft.com | Akamai International B.V. | US | whitelisted |
4844 | RUXIMICS.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
rs-ny.rustdesk.com |
| malicious |
api.rustdesk.com |
| malicious |
edge.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
rustdesk.com |
| malicious |
copilot.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2200 | svchost.exe | Misc activity | ET INFO RustDesk Domain in DNS Lookup |
2200 | svchost.exe | Misc activity | ET INFO RustDesk Relay Domain in DNS Lookup |
5552 | rustdesk.exe | Misc activity | ET INFO RustDesk Register Public Key |
2200 | svchost.exe | Misc activity | ET INFO RustDesk Domain in DNS Lookup |
5552 | rustdesk.exe | Misc activity | ET INFO RustDesk Register Public Key |
3948 | msedge.exe | Misc activity | ET INFO RustDesk Domain in DNS Lookup |
3948 | msedge.exe | Misc activity | ET INFO RustDesk Domain in DNS Lookup |
5552 | rustdesk.exe | Misc activity | ET INFO RustDesk Register Public Key |
5552 | rustdesk.exe | Misc activity | ET INFO RustDesk Register Public Key |
5552 | rustdesk.exe | Misc activity | ET INFO RustDesk Register Public Key |