File name:

rustdesk.exe

Full analysis: https://app.any.run/tasks/1bc4cc74-fed1-400d-8dc5-e71384041bb8
Verdict: Malicious activity
Analysis date: July 09, 2024, 22:09:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rustdesk
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

5BD1B1DEC2D0430CA31E32E34A33EC52

SHA1:

CD5A0358E788D3981AD4680C332610E3EBF6AD28

SHA256:

8D9EAC888ED21ABBC303D2ACD06B29AE4C1A3CDD0C9F2E36D679848495CC5103

SSDEEP:

196608:z/zYy0CqjZGm+LOf/x0CQDDMJ001b/NYAe3BEU2ro5+z:z/zYy0CqVGm3/ezOXFFYAOEUI3z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • rustdesk.exe (PID: 5908)

    • RUSTDESK has been detected (SURICATA)

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 3972)

    • Create files in the Startup directory

      • cmd.exe (PID: 1544)

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • rustdesk.exe (PID: 5908)
      • cmd.exe (PID: 4276)
      • cmd.exe (PID: 1544)
      • cmd.exe (PID: 4136)

    • Starts CMD.EXE for commands execution

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 3972)

    • Application launched itself

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 1068)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5484)

    • Process drops legitimate windows executable

      • rustdesk.exe (PID: 5908)
      • xcopy.exe (PID: 1296)

    • Reads the Windows owner or organization settings

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 5484)

    • The process checks if it is being run in the virtual environment

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5484)

    • Executing commands from a ".bat" file

      • rustdesk.exe (PID: 240)

    • Reads the date of Windows installation

      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 5484)

    • Reads security settings of Internet Explorer

      • rustdesk.exe (PID: 240)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 1544)

    • Executable content was dropped or overwritten

      • rustdesk.exe (PID: 5908)
      • xcopy.exe (PID: 1296)

    • Connects to unusual port

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 3972)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1544)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1544)

    • Searches for installed software

      • reg.exe (PID: 2448)
      • reg.exe (PID: 2088)
      • reg.exe (PID: 4136)
      • reg.exe (PID: 2972)
      • reg.exe (PID: 5732)
      • reg.exe (PID: 2260)
      • reg.exe (PID: 5940)
      • reg.exe (PID: 5240)
      • reg.exe (PID: 4264)
      • reg.exe (PID: 4052)
      • reg.exe (PID: 4772)
      • reg.exe (PID: 884)
      • reg.exe (PID: 3224)
      • rustdesk.exe (PID: 4600)
      • rustdesk.exe (PID: 5004)
      • rustdesk.exe (PID: 1068)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5332)
      • rustdesk.exe (PID: 2972)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 884)

    • Creates a software uninstall entry

      • reg.exe (PID: 2088)
      • reg.exe (PID: 4136)
      • reg.exe (PID: 2972)
      • reg.exe (PID: 5732)
      • reg.exe (PID: 2260)
      • reg.exe (PID: 5240)
      • reg.exe (PID: 5940)
      • reg.exe (PID: 4052)
      • reg.exe (PID: 4264)
      • reg.exe (PID: 884)
      • reg.exe (PID: 4772)
      • reg.exe (PID: 3224)
      • reg.exe (PID: 2448)

    • The process executes VB scripts

      • cmd.exe (PID: 1544)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 5100)
      • cscript.exe (PID: 2728)
      • cscript.exe (PID: 2896)

    • Executes as Windows Service

      • rustdesk.exe (PID: 4600)
      • rustdesk.exe (PID: 1068)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1544)

    • The executable file from the user directory is run by the CMD process

      • rustdesk.exe (PID: 2612)
      • rustdesk.exe (PID: 5004)

    • Adds/modifies Windows certificates

      • rustdesk.exe (PID: 5004)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 1544)

    • Starts itself from another location

      • rustdesk.exe (PID: 240)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2088)

    • There is functionality for taking screenshot (YARA)

      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 1068)
      • rustdesk.exe (PID: 5332)
      • rustdesk.exe (PID: 5484)

  • INFO

    • Checks supported languages

      • rustdesk.exe (PID: 5908)
      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 5248)
      • rustdesk.exe (PID: 240)
      • chcp.com (PID: 2728)
      • chcp.com (PID: 2824)
      • rustdesk.exe (PID: 4600)
      • rustdesk.exe (PID: 5004)
      • rustdesk.exe (PID: 2612)
      • chcp.com (PID: 2916)
      • rustdesk.exe (PID: 1068)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5332)
      • rustdesk.exe (PID: 2972)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 884)

    • Reads the computer name

      • rustdesk.exe (PID: 5248)
      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 2612)
      • rustdesk.exe (PID: 4600)
      • rustdesk.exe (PID: 5004)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 1068)
      • rustdesk.exe (PID: 5332)
      • rustdesk.exe (PID: 2972)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 884)

    • Reads the machine GUID from the registry

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5484)

    • Reads Environment values

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 3972)

    • Creates files or folders in the user directory

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 5248)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 2612)
      • rustdesk.exe (PID: 5908)
      • rustdesk.exe (PID: 5004)
      • rustdesk.exe (PID: 5332)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 884)

    • Reads product name

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 3972)

    • Checks proxy server information

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 5484)

    • Reads Windows Product ID

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 5484)

    • Create files in a temporary directory

      • rustdesk.exe (PID: 240)
      • cscript.exe (PID: 5100)
      • cscript.exe (PID: 2728)
      • cscript.exe (PID: 2896)

    • Process checks computer location settings

      • rustdesk.exe (PID: 240)

    • Creates files in the program directory

      • cmd.exe (PID: 1544)
      • xcopy.exe (PID: 1296)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 5100)
      • cscript.exe (PID: 2728)
      • cscript.exe (PID: 2896)

    • Drops the executable file immediately after the start

      • xcopy.exe (PID: 1296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:11:14 01:42:47+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 334336
InitializedDataSize: 20407808
UninitializedDataSize: -
EntryPoint: 0x42e20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.2.4.39
ProductVersionNumber: 1.2.4.39
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: com.carriez
FileDescription: rustdesk
FileVersion: 1.2.4+39
InternalName: rustdesk
LegalCopyright: Copyright (C) 2023 com.carriez. All rights reserved.
OriginalFileName: rustdesk.exe
ProductName: rustdesk
ProductVersion: 1.2.4+39
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
203
Monitored processes
79
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start rustdesk.exe taskkill.exe no specs conhost.exe no specs #RUSTDESK rustdesk.exe cmd.exe no specs rustdesk.exe no specs conhost.exe no specs taskkill.exe no specs rustdesk.exe no specs cmd.exe conhost.exe no specs chcp.com no specs sc.exe no specs sc.exe no specs taskkill.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs rustdesk.exe no specs reg.exe no specs chcp.com no specs xcopy.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs THREAT rustdesk.exe no specs #RUSTDESK rustdesk.exe reg.exe no specs cmd.exe no specs THREAT rustdesk.exe no specs conhost.exe no specs cmd.exe no specs rustdesk.exe no specs conhost.exe no specs timeout.exe no specs taskkill.exe no specs THREAT rustdesk.exe rustdesk.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Users\admin\AppData\Local\rustdesk\.\rustdesk.exe" --installC:\Users\admin\AppData\Local\rustdesk\rustdesk.exerustdesk.exe
User:
admin
Company:
com.carriez
Integrity Level:
MEDIUM
Description:
rustdesk
Exit code:
3221225547
Version:
1.2.4+39
Modules
Images
c:\users\admin\appdata\local\rustdesk\rustdesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\users\admin\appdata\local\rustdesk\desktop_drop_plugin.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
448reg add HKEY_CLASSES_ROOT\rustdesk /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
780reg add HKEY_CLASSES_ROOT\rustdesk\shell /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
884reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v EstimatedSize /t REG_DWORD /d 255C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
884"C:\Program Files\RustDesk\RustDesk.exe" --check-hwcodec-configC:\Program Files\RustDesk\rustdesk.exerustdesk.exe
User:
admin
Company:
com.carriez
Integrity Level:
MEDIUM
Description:
rustdesk
Exit code:
0
Version:
1.2.4+39
Modules
Images
c:\program files\rustdesk\rustdesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\program files\rustdesk\desktop_drop_plugin.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
900sc start RustDeskC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1053
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
900reg add HKEY_CLASSES_ROOT\rustdesk\shell\open\command /f /ve /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\" \"%1\""C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1068"C:\Program Files\RustDesk\RustDesk.exe" --serviceC:\Program Files\RustDesk\rustdesk.exe
services.exe
User:
SYSTEM
Company:
com.carriez
Integrity Level:
SYSTEM
Description:
rustdesk
Version:
1.2.4+39
Modules
Images
c:\program files\rustdesk\rustdesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\program files\rustdesk\desktop_drop_plugin.dll
c:\program files\rustdesk\desktop_multi_window_plugin.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
1296XCOPY "C:\Users\admin\AppData\Local\rustdesk" "C:\Program Files\RustDesk" /Y /E /H /C /I /K /R /ZC:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
21 381
Read events
21 347
Write events
32
Delete events
2

Modification events

(PID) Process:(240) rustdesk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(240) rustdesk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(240) rustdesk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(240) rustdesk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2448) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayIcon
Value:
C:\Program Files\RustDesk\RustDesk.exe
(PID) Process:(2088) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayName
Value:
RustDesk
(PID) Process:(4136) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayVersion
Value:
1.2.4
(PID) Process:(2972) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:Version
Value:
1.2.4
(PID) Process:(2260) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:BuildDate
Value:
2023-11-14 01:30
(PID) Process:(5732) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:InstallLocation
Value:
C:\Program Files\RustDesk
Executable files
34
Suspicious files
29
Text files
159
Unknown types
10

Dropped files

PID
Process
Filename
Type
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\data\app.so
MD5:
SHA256:
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\dylib_virtual_display.dllexecutable
MD5:1E079D3D4CA3E0ACAC77F0D4B2CCDCB2
SHA256:67A44EF56CC2A329D71C7AFE12F3A33DF2D38716661A490D931D372CA3B5E642
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\desktop_multi_window_plugin.dllexecutable
MD5:B9E9A099ECA27ABE153E79BE1FE88E10
SHA256:F8418B5C8F002F8873F533C5FC3CACF2756067D1EE06078C79D861D3D406C851
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\flutter_windows.dllexecutable
MD5:6BA023B1EDD7BFB9CF1F0DB61EF3D92B
SHA256:9EF1B2192D7CA6814AF87CA6F389872C4B724DF0BA749E9ED5FD1B2264AD4364
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\uni_links_desktop_plugin.dllexecutable
MD5:88F3A463C5335F9DE14A6DE14B5D8EAC
SHA256:13304FA513B638A79D1F2F888BAA2EC16C473C664B30A97FB8E139472609E082
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\texture_rgba_renderer_plugin.dllexecutable
MD5:A9C2EDF331478D72770B455191F0FC07
SHA256:CCEE34B743792446803B608ADA911CEACD84455BF808B7F37C9C0F04A8232156
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\desktop_drop_plugin.dllexecutable
MD5:886DDA51D7688A453CFA9357A61A8DCB
SHA256:C812E27866979E18771E3F36882D573E8115CF8D1C56387508687C7A89ED1912
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\url_launcher_windows_plugin.dllexecutable
MD5:29F5FF5D9F985E0644C0208CD3834FD0
SHA256:F8A1E50CFFDFB32FF9826034268F5F95DE6B630BD4C071E30BF98D8BD0FD01BC
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\window_manager_plugin.dllexecutable
MD5:0D000CA39ACEEC51341B198A0AFC4B5A
SHA256:D443F4EA02034300D2A8F122EDC44CBB3DB07302A7D44A217FE165E082BA125C
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\WindowInjection.dllexecutable
MD5:5B4F483B8A9F7E131A6C4EF8C83686F7
SHA256:D72F7E51054E937EBA272297A63EA5C4AD972947CC1636292589C7A25203CCA3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
46
DNS requests
7
Threats
104

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1272
RUXIMICS.exe
GET
200
2.16.164.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2064
MoUsoCoreWorker.exe
GET
200
2.16.164.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1272
RUXIMICS.exe
GET
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3168
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/sysinfo
unknown
unknown
2064
MoUsoCoreWorker.exe
GET
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3972
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/sysinfo
unknown
unknown
3972
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/heartbeat
unknown
unknown
3972
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/heartbeat
unknown
unknown
3972
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/heartbeat
unknown
unknown
3972
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/heartbeat
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4392
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
1272
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2064
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1272
RUXIMICS.exe
2.16.164.34:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
2064
MoUsoCoreWorker.exe
2.16.164.34:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
3168
rustdesk.exe
81.219.193.10:21116
unknown
3168
rustdesk.exe
81.219.193.10:21115
Netia SA
PL
unknown
1272
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.34
  • 2.16.164.32
  • 2.16.164.24
  • 2.16.164.17
  • 2.16.164.106
  • 2.16.164.72
  • 2.16.164.120
  • 2.16.164.51
whitelisted
github.com
  • 140.82.121.4
shared
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted

Threats

PID
Process
Class
Message
3168
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3168
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
20 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rustdesk.exe