File name:	rustdesk-1.3.8-x86_64.exe
Full analysis:	https://app.any.run/tasks/a84e6ed9-7df3-425b-89ea-32f8c8bbeb85
Verdict:	Malicious activity
Analysis date:	June 19, 2025, 06:42:01
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	remote rustdesk rust
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	40406F2CF1CC17AB4EB0AD0B14D3E61E
SHA1:	4DFE46CFC4D09CC81C8296482497C20FA2524B78
SHA256:	283557E80EE96139C66400B5302B33ACAD09CB00F88333660DB3E1D977ABF9AB
SSDEEP:	196608:a17wVqJ+f2xpPft/NECH6yVl53PQPZeQFwU86CLPzn:Y75JiWfNNEfalsZm6CTzn

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:02:22 12:23:59+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.42
CodeSize:	364032
InitializedDataSize:	21882880
UninitializedDataSize:	-
EntryPoint:	0x4ab38
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.3.8.0
ProductVersionNumber:	1.3.8.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
LegalCopyright:	Copyright © 2025 Purslane Ltd. All rights reserved.
FileVersion:	1.3.8
ProductName:	RustDesk
ProductVersion:	1.3.8
FileDescription:	RustDesk Remote Desktop
OriginalFileName:	rustdesk.exe


(PID) Process:	(5552) rustdesk.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5552) rustdesk.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5552) rustdesk.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2356) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 1
(PID) Process:	(2356) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(1688) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(1688) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(2356) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(2356) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 2EB602557D962F00
(PID) Process:	(2356) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393926
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {0CC27DF1-6A31-465F-9E36-D1C0C71A19AF}

PID	Process	Filename		Type
2976	rustdesk-1.3.8-x86_64.exe	C:\Users\admin\AppData\Local\rustdesk\data\app.so		—
		MD5:—	SHA256:—
2976	rustdesk-1.3.8-x86_64.exe	C:\Users\admin\AppData\Local\Temp\nwg7271.tmp		text
		MD5:90FEB8EDF41C48A02D0320766AFE6A4B	SHA256:70C7A70EEDD5B93E686AA0BC81BBA03D2E35228FF05BCDB3CC1EB3756E569B5C
2976	rustdesk-1.3.8-x86_64.exe	C:\Users\admin\AppData\Local\rustdesk\flutter_windows.dll		executable
		MD5:028135AF3E2D10502D3D8FB5E66C41B3	SHA256:2079BDDD4AD676D465703DCECE2AFDD3E5FB9233C7CDAB117A9C2E12EF05A9FB
2976	rustdesk-1.3.8-x86_64.exe	C:\Users\admin\AppData\Local\rustdesk\rustdesk.exe		executable
		MD5:10E9AF5261C516FE9B1A96991E3502B6	SHA256:B98F52ED46E8E67C1CDED66EDC40DB25FA7230EE292FEED5C9332A72456FD6FA
2976	rustdesk-1.3.8-x86_64.exe	C:\Users\admin\AppData\Local\rustdesk\uni_links_desktop_plugin.dll		executable
		MD5:8E3D75710986D1F714C0BDBCF4FAC75D	SHA256:DF386A1EEF4076D9812D5F83ADF7F983D5C23B462112E14248F65D5EF4ECCF8A
2976	rustdesk-1.3.8-x86_64.exe	C:\Users\admin\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dll		executable
		MD5:EE79D15755FC648D400647A853274DED	SHA256:84B5DE4863463F7E1FE646A504E0AB3413971C4E9D8974A992857002F9C1780B
2976	rustdesk-1.3.8-x86_64.exe	C:\Users\admin\AppData\Local\rustdesk\data\flutter_assets\AssetManifest.bin		binary
		MD5:43D9F72B40E84E44B392BF77FC00BC9C	SHA256:15CEEFB18609B8D0000C04AB303763B733979F9BDC301719A747FD82CCBFEC85
2976	rustdesk-1.3.8-x86_64.exe	C:\Users\admin\AppData\Local\rustdesk\librustdesk.dll		executable
		MD5:2B94CCF7734DC5E22822E76E0C7C22AB	SHA256:A32DA9CA5EA5D0B1F7DA5308F55A5A37BB7CF6AB8331798867C03F7F26E3E334
2976	rustdesk-1.3.8-x86_64.exe	C:\Users\admin\AppData\Local\rustdesk\flutter_gpu_texture_renderer_plugin.dll		executable
		MD5:FBC20A33B41DD238342E8D25CAF086F6	SHA256:5B4040E426223BB31E9CE005A8B108671B84A1FF4DB64B4933969A61F045D24A
2976	rustdesk-1.3.8-x86_64.exe	C:\Users\admin\AppData\Local\rustdesk\data\flutter_assets\AssetManifest.json		binary
		MD5:08385BE2C9EC3C83D92C55A482D8D072	SHA256:3162C0F2A2F2C1A99F7905F0F1B57EE521798164E58E5480EEC9A2C58F35C27D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4844	RUXIMICS.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	49.12.46.241:443	https://api.rustdesk.com/version/latest	unknown	binary	65 b	malicious
—	—	GET	200	150.171.27.11:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	binary	863 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	92.123.104.45:443	https://copilot.microsoft.com/c/api/user/eligibility	unknown	binary	25 b	whitelisted
—	—	GET	302	140.82.121.3:443	https://github.com/rustdesk/rustdesk/releases/latest	unknown	—	—	unknown
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=51&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1750315347&lafgdate=0	unknown	binary	1.47 Kb	whitelisted
—	—	GET	302	45.76.181.120:443	https://rustdesk.com/download	unknown	html	154 b	malicious
—	—	GET	200	185.199.108.154:443	https://github.githubassets.com/assets/dark-89751e879f8b.css	unknown	text	74.1 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4844	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4844	RUXIMICS.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
5944	MoUsoCoreWorker.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
1268	svchost.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
4844	RUXIMICS.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5944	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.55.104.172 23.55.104.190	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
rs-ny.rustdesk.com	209.250.254.15	malicious
api.rustdesk.com	49.12.46.241	malicious
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
rustdesk.com	45.76.181.120	malicious
copilot.microsoft.com	92.123.104.53 92.123.104.45	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Misc activity	ET INFO RustDesk Domain in DNS Lookup
2200	svchost.exe	Misc activity	ET INFO RustDesk Relay Domain in DNS Lookup
5552	rustdesk.exe	Misc activity	ET INFO RustDesk Register Public Key
2200	svchost.exe	Misc activity	ET INFO RustDesk Domain in DNS Lookup
5552	rustdesk.exe	Misc activity	ET INFO RustDesk Register Public Key
3948	msedge.exe	Misc activity	ET INFO RustDesk Domain in DNS Lookup
3948	msedge.exe	Misc activity	ET INFO RustDesk Domain in DNS Lookup
5552	rustdesk.exe	Misc activity	ET INFO RustDesk Register Public Key
5552	rustdesk.exe	Misc activity	ET INFO RustDesk Register Public Key
5552	rustdesk.exe	Misc activity	ET INFO RustDesk Register Public Key

General Info

rustdesk-1.3.8-x86_64.exe

40406F2CF1CC17AB4EB0AD0B14D3E61E

4DFE46CFC4D09CC81C8296482497C20FA2524B78

283557E80EE96139C66400B5302B33ACAD09CB00F88333660DB3E1D977ABF9AB

196608:a17wVqJ+f2xpPft/NECH6yVl53PQPZeQFwU86CLPzn:Y75JiWfNNEfalsZm6CTzn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RUSTDESK has been detected (SURICATA)

SUSPICIOUS

Uses TASKKILL.EXE to kill process

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Reads the date of Windows installation

Reads the Windows owner or organization settings

Executable content was dropped or overwritten

Application launched itself

The process checks if it is being run in the virtual environment

Reads security settings of Internet Explorer

Connects to unusual port

There is functionality for taking screenshot (YARA)

INFO

The sample compiled with english language support

Create files in a temporary directory

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Reads Windows Product ID

Reads product name

Reads the machine GUID from the registry

Reads Environment values

Checks proxy server information

Application launched itself

Reads the software policy settings

Application based on Rust

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings