File name:

rustdesk-1.3.2-x86_64.exe

Full analysis: https://app.any.run/tasks/ea575462-a218-4433-8ec3-f3a97a292fdd
Verdict: Malicious activity
Analysis date: November 13, 2024, 21:01:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rustdesk
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

AA6D18E1405A0BE5EFF04D419F9C6BBE

SHA1:

30ED558A8804B5F826A3CA4A1C2212DE58E6030A

SHA256:

465E3CC0BEFA33EF54DB3819D224E19CFFE684CFE687C76B43352F5BB9C2D87E

SSDEEP:

98304:0/NGp8rTDkqbevv6xCxzF7cAXMosAiUtFk18G0MJ6GJEe7vhVU2ZNTWLYoYeTjR+:dZNWIHhNyt7VHfhQKZtWS4v1mofMYZzy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 512)
      • rustdesk.exe (PID: 2648)
      • rustdesk.exe (PID: 6940)
      • rustdesk.exe (PID: 2236)
      • rustdesk.exe (PID: 6276)
      • rustdesk.exe (PID: 7132)
      • rustdesk.exe (PID: 1952)
      • rustdesk.exe (PID: 6148)
      • rustdesk.exe (PID: 5400)

    • Create files in the Startup directory

      • cmd.exe (PID: 6728)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • xcopy.exe (PID: 1156)

    • Uses TASKKILL.EXE to kill process

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • cmd.exe (PID: 6180)
      • cmd.exe (PID: 6728)
      • cmd.exe (PID: 6252)

    • Process drops legitimate windows executable

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)

    • The process checks if it is being run in the virtual environment

      • rustdesk.exe (PID: 5788)

    • Starts CMD.EXE for commands execution

      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 512)
      • rustdesk.exe (PID: 7132)

    • Application launched itself

      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 7132)
      • rustdesk.exe (PID: 6276)

    • Reads the Windows owner or organization settings

      • rustdesk.exe (PID: 5788)

    • Connects to unusual port

      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 7132)

    • Reads the date of Windows installation

      • rustdesk.exe (PID: 5788)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6728)

    • Executing commands from a ".bat" file

      • rustdesk.exe (PID: 512)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6728)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 6728)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6728)

    • The executable file from the user directory is run by the CMD process

      • rustdesk.exe (PID: 6940)
      • rustdesk.exe (PID: 2648)

    • The process executes VB scripts

      • cmd.exe (PID: 6728)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 3728)
      • cscript.exe (PID: 712)
      • cscript.exe (PID: 6272)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6728)

    • Executes as Windows Service

      • rustdesk.exe (PID: 2236)
      • rustdesk.exe (PID: 6276)

    • Starts itself from another location

      • rustdesk.exe (PID: 512)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4144)

  • INFO

    • Checks supported languages

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 5356)

    • Create files in a temporary directory

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • rustdesk.exe (PID: 512)
      • cscript.exe (PID: 3728)
      • cscript.exe (PID: 712)
      • cscript.exe (PID: 6272)

    • Creates files or folders in the user directory

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 5356)
      • rustdesk.exe (PID: 512)
      • rustdesk.exe (PID: 2648)
      • rustdesk.exe (PID: 6940)

    • Reads the computer name

      • rustdesk-1.3.2-x86_64.exe (PID: 1576)
      • rustdesk.exe (PID: 5788)
      • rustdesk.exe (PID: 5356)

    • Reads the machine GUID from the registry

      • rustdesk.exe (PID: 5788)

    • Reads Environment values

      • rustdesk.exe (PID: 5788)

    • Reads product name

      • rustdesk.exe (PID: 5788)

    • The process uses the downloaded file

      • rustdesk.exe (PID: 512)

    • Reads Windows Product ID

      • rustdesk.exe (PID: 5788)

    • Checks proxy server information

      • rustdesk.exe (PID: 5788)

    • Reads the software policy settings

      • rustdesk.exe (PID: 5788)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6728)

    • Creates files in the program directory

      • cmd.exe (PID: 6728)
      • xcopy.exe (PID: 1156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:29 02:48:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 367616
InitializedDataSize: 21467136
UninitializedDataSize: -
EntryPoint: 0x4ab38
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.3.2.0
ProductVersionNumber: 1.3.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: RustDesk
OriginalFileName: rustdesk.exe
LegalCopyright: Copyright © 2024 Purslane Ltd. All rights reserved.
FileVersion: 1.3.2
ProductVersion: 1.3.2
FileDescription: RustDesk Remote Desktop
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
206
Monitored processes
80
Malicious processes
7
Suspicious processes
9

Behavior graph

Click at the process to see the details
start rustdesk-1.3.2-x86_64.exe taskkill.exe no specs conhost.exe no specs rustdesk.exe cmd.exe no specs rustdesk.exe no specs conhost.exe no specs taskkill.exe no specs rustdesk.exe no specs cmd.exe conhost.exe no specs chcp.com no specs sc.exe no specs sc.exe no specs taskkill.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs rustdesk.exe no specs reg.exe no specs rustdesk.exe no specs chcp.com no specs xcopy.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs sc.exe no specs sc.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs rustdesk.exe reg.exe no specs cmd.exe no specs rustdesk.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs rustdesk.exe no specs timeout.exe no specs taskkill.exe no specs rustdesk.exe

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Users\admin\AppData\Local\rustdesk\.\rustdesk.exe" --installC:\Users\admin\AppData\Local\rustdesk\rustdesk.exerustdesk.exe
User:
admin
Company:
Purslane Ltd
Integrity Level:
MEDIUM
Description:
RustDesk Remote Desktop
Exit code:
3221225547
Version:
1.3.2+51
712cscript "C:\Users\admin\AppData\Local\Temp\RustDesk_uninstall_shortcut.vbs"C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
864reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
1156XCOPY "C:\Users\admin\AppData\Local\rustdesk" "C:\Program Files\RustDesk" /Y /E /H /C /I /K /R /ZC:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1176reg add HKEY_CLASSES_ROOT\rustdesk /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1280\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1452reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v BuildDate /t REG_SZ /d "2024-10-29 02:36"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1452netsh advfirewall firewall add rule name="RustDesk Service" dir=in action=allow program="C:\Program Files\RustDesk\RustDesk.exe" enable=yesC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1568sc start RustDeskC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1053
Version:
10.0.19041.1 (WinBuild.160101.0800)
1576"C:\Users\admin\Desktop\rustdesk-1.3.2-x86_64.exe" C:\Users\admin\Desktop\rustdesk-1.3.2-x86_64.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RustDesk Remote Desktop
Exit code:
0
Version:
1.3.2
Modules
Images
c:\users\admin\desktop\rustdesk-1.3.2-x86_64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
14 980
Read events
14 963
Write events
17
Delete events
0

Modification events

(PID) Process:(4128) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayIcon
Value:
C:\Program Files\RustDesk\RustDesk.exe
(PID) Process:(5276) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayName
Value:
RustDesk
(PID) Process:(5984) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayVersion
Value:
1.3.2
(PID) Process:(4816) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:Version
Value:
1.3.2
(PID) Process:(1452) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:BuildDate
Value:
2024-10-29 02:36
(PID) Process:(7128) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:InstallLocation
Value:
C:\Program Files\RustDesk
(PID) Process:(5852) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:Publisher
Value:
RustDesk
(PID) Process:(7100) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionMajor
Value:
1
(PID) Process:(3960) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionMinor
Value:
3
(PID) Process:(7112) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionBuild
Value:
2
Executable files
37
Suspicious files
30
Text files
159
Unknown types
7

Dropped files

PID
Process
Filename
Type
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\data\app.so
MD5:
SHA256:
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\desktop_multi_window_plugin.dllexecutable
MD5:70D34EB15657FBC5B9AF1CE0B1A9CE34
SHA256:7FAC09857289DF417A416F48A520B422707E952F2A8DFFFE7C28E5F47A755943
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\desktop_drop_plugin.dllexecutable
MD5:823B73A4D1B2DC374EAA70A6FBCB6B5B
SHA256:F7DD9527704EDF5CC41863546CAADFE67F48A1C3A1BC103229542B36D8ED9BAF
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\Temp\nwgC84A.tmptext
MD5:90FEB8EDF41C48A02D0320766AFE6A4B
SHA256:70C7A70EEDD5B93E686AA0BC81BBA03D2E35228FF05BCDB3CC1EB3756E569B5C
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\file_selector_windows_plugin.dllexecutable
MD5:7792CD260F3C49F200B9200B83385927
SHA256:C310576A1A07A9A3CE776FFF810C339ABF6EAE2341440DDA3B7A962C12277F5C
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\flutter_gpu_texture_renderer_plugin.dllexecutable
MD5:99B57E645A7D163A82E3F359B934482F
SHA256:04C941BAFC0C9CC8FDB56BEBCA1744FB0B6B4BCDCED905A73CDFD08CBB8D0454
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\screen_retriever_plugin.dllexecutable
MD5:7C6EFC7FEDAA888870280FCBD186F5F7
SHA256:0B32C3C19706075389CD8A947C3202E7E24A74D99EF22BD8E5CA4BDE2B1F762C
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dllexecutable
MD5:B52D55F66BDDF10E86133D17885ABBFA
SHA256:EEA74443E302F5F5388F3404EB9544FE8F94D3A503B10A9013954498069E2F76
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\window_manager_plugin.dllexecutable
MD5:200EC72AB28F84DACEE8418D0B0641B1
SHA256:8A6F4483BDFFCD966D1C5B2D99EEB7E74C09E9620691546CBB9E1D2A61CA05A3
1576rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\url_launcher_windows_plugin.dllexecutable
MD5:AF8874D6D64C607E75D027FE09E286B3
SHA256:FA76B4D152B9A37437CC0D019CFCE9DB2C3AB103C432F65BF2B53283047D6FF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
41
DNS requests
10
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
184.24.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.24.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
302
140.82.121.3:443
https://github.com/rustdesk/rustdesk/releases/latest
unknown
GET
302
140.82.121.3:443
https://github.com/rustdesk/rustdesk/releases/latest
unknown
POST
204
92.123.104.25:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
140.82.121.3:443
https://github.com/rustdesk/rustdesk/releases/tag/1.3.2
unknown
html
192 Kb
shared
POST
204
92.123.104.64:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
140.82.121.3:443
https://github.com/rustdesk/rustdesk/releases/tag/1.3.2
unknown
html
192 Kb
shared
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4080
RUXIMICS.exe
GET
200
184.24.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4080
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.62:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
184.24.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.24.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4080
RUXIMICS.exe
184.24.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 92.123.104.62
  • 92.123.104.53
  • 92.123.104.8
  • 92.123.104.7
  • 92.123.104.66
  • 92.123.104.59
  • 92.123.104.58
  • 92.123.104.51
  • 92.123.104.46
  • 2.23.209.187
  • 2.23.209.149
  • 2.23.209.133
  • 2.23.209.177
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.148
  • 2.23.209.176
  • 2.23.209.182
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 184.24.77.41
  • 184.24.77.42
  • 184.24.77.28
  • 184.24.77.15
  • 184.24.77.37
  • 184.24.77.35
  • 184.24.77.10
  • 184.24.77.27
  • 184.24.77.19
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
rs-ny.rustdesk.com
  • 209.250.254.15
malicious
github.com
  • 140.82.121.3
shared
self.events.data.microsoft.com
  • 13.89.178.27
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Misc activity
ET INFO RustDesk Domain in DNS Lookup
2172
svchost.exe
Misc activity
ET INFO RustDesk Relay Domain in DNS Lookup
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rustdesk-1.3.2-x86_64.exe