File name:

rustdesk-1.3.2-x86_64.exe

Full analysis: https://app.any.run/tasks/ea575462-a218-4433-8ec3-f3a97a292fdd
Verdict: Malicious activity
Analysis date: November 13, 2024, 21:01:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rustdesk
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

AA6D18E1405A0BE5EFF04D419F9C6BBE

SHA1:

30ED558A8804B5F826A3CA4A1C2212DE58E6030A

SHA256:

465E3CC0BEFA33EF54DB3819D224E19CFFE684CFE687C76B43352F5BB9C2D87E

SSDEEP:

98304:0/NGp8rTDkqbevv6xCxzF7cAXMosAiUtFk18G0MJ6GJEe7vhVU2ZNTWLYoYeTjR+:dZNWIHhNyt7VHfhQKZtWS4v1mofMYZzy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 512)
      • rustdesk.exe (PID: 2648)
      • rustdesk.exe (PID: 6276)
      • rustdesk.exe (PID: 2236)
      • rustdesk.exe (PID: 7132)
      • rustdesk.exe (PID: 1952)
      • rustdesk.exe (PID: 6148)
      • rustdesk.exe (PID: 5400)
      • rustdesk.exe (PID: 6940)

    • Create files in the Startup directory

      • cmd.exe (PID: 6728)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • xcopy.exe (PID: 1156)

    • Application launched itself

      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 7132)
      • rustdesk.exe (PID: 6276)

    • The process checks if it is being run in the virtual environment

      • rustdesk.exe (PID: 5788)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6180)
      • cmd.exe (PID: 6728)
      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • cmd.exe (PID: 6252)

    • Process drops legitimate windows executable

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)

    • Starts CMD.EXE for commands execution

      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 512)
      • rustdesk.exe (PID: 7132)

    • Reads the date of Windows installation

      • rustdesk.exe (PID: 5788)

    • Reads the Windows owner or organization settings

      • rustdesk.exe (PID: 5788)

    • Executing commands from a ".bat" file

      • rustdesk.exe (PID: 512)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6728)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 6728)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6728)

    • The executable file from the user directory is run by the CMD process

      • rustdesk.exe (PID: 6940)
      • rustdesk.exe (PID: 2648)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6728)

    • Connects to unusual port

      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 7132)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 3728)
      • cscript.exe (PID: 6272)
      • cscript.exe (PID: 712)

    • The process executes VB scripts

      • cmd.exe (PID: 6728)

    • Executes as Windows Service

      • rustdesk.exe (PID: 2236)
      • rustdesk.exe (PID: 6276)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6728)

    • Starts itself from another location

      • rustdesk.exe (PID: 512)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4144)

  • INFO

    • Creates files or folders in the user directory

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • rustdesk.exe (PID: 5356)
      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 512)
      • rustdesk.exe (PID: 2648)
      • rustdesk.exe (PID: 6940)

    • Create files in a temporary directory

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • rustdesk.exe (PID: 512)
      • cscript.exe (PID: 3728)
      • cscript.exe (PID: 712)
      • cscript.exe (PID: 6272)

    • Checks supported languages

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • rustdesk.exe (PID: 5356)
      • rustdesk.exe (PID: 5788)

    • Reads the computer name

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • rustdesk.exe (PID: 5356)
      • rustdesk.exe (PID: 5788)

    • Reads the machine GUID from the registry

      • rustdesk.exe (PID: 5788)

    • Reads Environment values

      • rustdesk.exe (PID: 5788)

    • Reads product name

      • rustdesk.exe (PID: 5788)

    • Checks proxy server information

      • rustdesk.exe (PID: 5788)

    • Reads Windows Product ID

      • rustdesk.exe (PID: 5788)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6728)

    • Reads the software policy settings

      • rustdesk.exe (PID: 5788)

    • The process uses the downloaded file

      • rustdesk.exe (PID: 512)

    • Creates files in the program directory

      • cmd.exe (PID: 6728)
      • xcopy.exe (PID: 1156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:29 02:48:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 367616
InitializedDataSize: 21467136
UninitializedDataSize: -
EntryPoint: 0x4ab38
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.3.2.0
ProductVersionNumber: 1.3.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: RustDesk
OriginalFileName: rustdesk.exe
LegalCopyright: Copyright © 2024 Purslane Ltd. All rights reserved.
FileVersion: 1.3.2
ProductVersion: 1.3.2
FileDescription: RustDesk Remote Desktop
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
206
Monitored processes
80
Malicious processes
7
Suspicious processes
9

Behavior graph

Click at the process to see the details
start rustdesk-1.3.2-x86_64.exe taskkill.exe no specs conhost.exe no specs rustdesk.exe cmd.exe no specs rustdesk.exe no specs conhost.exe no specs taskkill.exe no specs rustdesk.exe no specs cmd.exe conhost.exe no specs chcp.com no specs sc.exe no specs sc.exe no specs taskkill.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs rustdesk.exe no specs reg.exe no specs rustdesk.exe no specs chcp.com no specs xcopy.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs sc.exe no specs sc.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs rustdesk.exe reg.exe no specs cmd.exe no specs rustdesk.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs rustdesk.exe no specs timeout.exe no specs taskkill.exe no specs rustdesk.exe

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Users\admin\AppData\Local\rustdesk\.\rustdesk.exe" --installC:\Users\admin\AppData\Local\rustdesk\rustdesk.exerustdesk.exe
User:
admin
Company:
Purslane Ltd
Integrity Level:
MEDIUM
Description:
RustDesk Remote Desktop
Exit code:
3221225547
Version:
1.3.2+51
712cscript "C:\Users\admin\AppData\Local\Temp\RustDesk_uninstall_shortcut.vbs"C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
864reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
1156XCOPY "C:\Users\admin\AppData\Local\rustdesk" "C:\Program Files\RustDesk" /Y /E /H /C /I /K /R /ZC:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1176reg add HKEY_CLASSES_ROOT\rustdesk /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1280\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1452reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v BuildDate /t REG_SZ /d "2024-10-29 02:36"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1452netsh advfirewall firewall add rule name="RustDesk Service" dir=in action=allow program="C:\Program Files\RustDesk\RustDesk.exe" enable=yesC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1568sc start RustDeskC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1053
Version:
10.0.19041.1 (WinBuild.160101.0800)
1576"C:\Users\admin\Desktop\rustdesk-1.3.2-x86_64.exe" C:\Users\admin\Desktop\rustdesk-1.3.2-x86_64.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RustDesk Remote Desktop
Exit code:
0
Version:
1.3.2
Modules
Images
c:\users\admin\desktop\rustdesk-1.3.2-x86_64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
14 980
Read events
14 963
Write events
17
Delete events
0

Modification events

(PID) Process:(4128) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayIcon
Value:
C:\Program Files\RustDesk\RustDesk.exe
(PID) Process:(5276) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayName
Value:
RustDesk
(PID) Process:(5984) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayVersion
Value:
1.3.2
(PID) Process:(4816) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:Version
Value:
1.3.2
(PID) Process:(1452) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:BuildDate
Value:
2024-10-29 02:36
(PID) Process:(7128) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:InstallLocation
Value:
C:\Program Files\RustDesk
(PID) Process:(5852) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:Publisher
Value:
RustDesk
(PID) Process:(7100) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionMajor
Value:
1
(PID) Process:(3960) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionMinor
Value:
3
(PID) Process:(7112) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionBuild
Value:
2
Executable files
37
Suspicious files
30
Text files
159
Unknown types
7

Dropped files

PID
Process
Filename
Type
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\data\app.so
MD5:
SHA256:
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\Temp\nwgC84A.tmptext
MD5:90FEB8EDF41C48A02D0320766AFE6A4B
SHA256:70C7A70EEDD5B93E686AA0BC81BBA03D2E35228FF05BCDB3CC1EB3756E569B5C
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\desktop_multi_window_plugin.dllexecutable
MD5:70D34EB15657FBC5B9AF1CE0B1A9CE34
SHA256:7FAC09857289DF417A416F48A520B422707E952F2A8DFFFE7C28E5F47A755943
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\desktop_drop_plugin.dllexecutable
MD5:823B73A4D1B2DC374EAA70A6FBCB6B5B
SHA256:F7DD9527704EDF5CC41863546CAADFE67F48A1C3A1BC103229542B36D8ED9BAF
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\flutter_gpu_texture_renderer_plugin.dllexecutable
MD5:99B57E645A7D163A82E3F359B934482F
SHA256:04C941BAFC0C9CC8FDB56BEBCA1744FB0B6B4BCDCED905A73CDFD08CBB8D0454
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\file_selector_windows_plugin.dllexecutable
MD5:7792CD260F3C49F200B9200B83385927
SHA256:C310576A1A07A9A3CE776FFF810C339ABF6EAE2341440DDA3B7A962C12277F5C
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\dylib_virtual_display.dllexecutable
MD5:CBE1A04E6EC8FB6C500FF19E1DE3C24D
SHA256:9DD67477F2AD0E4F00903DCE3C024B8B2DA31E13B00240EB33A8CF7A30AECB47
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\rustdesk.exeexecutable
MD5:646CDFF6F58E5C48314E91F9A4B2DB53
SHA256:2700477D573A8A81083046B41FF9DD8017B572D540B6D8B35E32EECFCF888598
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dllexecutable
MD5:B52D55F66BDDF10E86133D17885ABBFA
SHA256:EEA74443E302F5F5388F3404EB9544FE8F94D3A503B10A9013954498069E2F76
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\librustdesk.dllexecutable
MD5:C9B60ED38BD118796F3B4DA969D8849D
SHA256:A100E96FF8A1921F6DDF8EC54B64DE97F2912E56622447FB07022852A1033764
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
41
DNS requests
10
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
184.24.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.24.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4080
RUXIMICS.exe
GET
200
184.24.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4080
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.3:443
https://github.com/rustdesk/rustdesk/releases/latest
unknown
unknown
GET
302
140.82.121.3:443
https://github.com/rustdesk/rustdesk/releases/latest
unknown
unknown
GET
200
140.82.121.3:443
https://github.com/rustdesk/rustdesk/releases/tag/1.3.2
unknown
html
192 Kb
shared
POST
204
92.123.104.64:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4080
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.62:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
184.24.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.24.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4080
RUXIMICS.exe
184.24.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 92.123.104.62
  • 92.123.104.53
  • 92.123.104.8
  • 92.123.104.7
  • 92.123.104.66
  • 92.123.104.59
  • 92.123.104.58
  • 92.123.104.51
  • 92.123.104.46
  • 2.23.209.187
  • 2.23.209.149
  • 2.23.209.133
  • 2.23.209.177
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.148
  • 2.23.209.176
  • 2.23.209.182
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 184.24.77.41
  • 184.24.77.42
  • 184.24.77.28
  • 184.24.77.15
  • 184.24.77.37
  • 184.24.77.35
  • 184.24.77.10
  • 184.24.77.27
  • 184.24.77.19
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
rs-ny.rustdesk.com
  • 209.250.254.15
malicious
github.com
  • 140.82.121.3
shared
self.events.data.microsoft.com
  • 13.89.178.27
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Misc activity
ET INFO RustDesk Domain in DNS Lookup
2172
svchost.exe
Misc activity
ET INFO RustDesk Relay Domain in DNS Lookup
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rustdesk-1.3.2-x86_64.exe