File name:

rustdesk.exe

Full analysis: https://app.any.run/tasks/1bc4cc74-fed1-400d-8dc5-e71384041bb8
Verdict: Malicious activity
Analysis date: July 09, 2024, 22:09:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rustdesk
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

5BD1B1DEC2D0430CA31E32E34A33EC52

SHA1:

CD5A0358E788D3981AD4680C332610E3EBF6AD28

SHA256:

8D9EAC888ED21ABBC303D2ACD06B29AE4C1A3CDD0C9F2E36D679848495CC5103

SSDEEP:

196608:z/zYy0CqjZGm+LOf/x0CQDDMJ001b/NYAe3BEU2ro5+z:z/zYy0CqVGm3/ezOXFFYAOEUI3z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • rustdesk.exe (PID: 5908)

    • RUSTDESK has been detected (SURICATA)

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 3972)

    • Create files in the Startup directory

      • cmd.exe (PID: 1544)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • rustdesk.exe (PID: 5908)
      • xcopy.exe (PID: 1296)

    • Process drops legitimate windows executable

      • rustdesk.exe (PID: 5908)
      • xcopy.exe (PID: 1296)

    • Starts CMD.EXE for commands execution

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 3972)

    • Application launched itself

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 1068)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5484)

    • Uses TASKKILL.EXE to kill process

      • rustdesk.exe (PID: 5908)
      • cmd.exe (PID: 4276)
      • cmd.exe (PID: 1544)
      • cmd.exe (PID: 4136)

    • Reads the date of Windows installation

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 5484)

    • The process checks if it is being run in the virtual environment

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5484)

    • Reads the Windows owner or organization settings

      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 5484)

    • Reads security settings of Internet Explorer

      • rustdesk.exe (PID: 240)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1544)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1544)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1544)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 1544)

    • The executable file from the user directory is run by the CMD process

      • rustdesk.exe (PID: 2612)
      • rustdesk.exe (PID: 5004)

    • Executing commands from a ".bat" file

      • rustdesk.exe (PID: 240)

    • Connects to unusual port

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 3972)

    • Creates a software uninstall entry

      • reg.exe (PID: 2972)
      • reg.exe (PID: 2448)
      • reg.exe (PID: 2088)
      • reg.exe (PID: 2260)
      • reg.exe (PID: 5732)
      • reg.exe (PID: 4136)
      • reg.exe (PID: 4264)
      • reg.exe (PID: 4052)
      • reg.exe (PID: 884)
      • reg.exe (PID: 3224)
      • reg.exe (PID: 5940)
      • reg.exe (PID: 5240)
      • reg.exe (PID: 4772)

    • Searches for installed software

      • reg.exe (PID: 2448)
      • reg.exe (PID: 2088)
      • reg.exe (PID: 4136)
      • reg.exe (PID: 2972)
      • reg.exe (PID: 5732)
      • reg.exe (PID: 2260)
      • reg.exe (PID: 4264)
      • reg.exe (PID: 4052)
      • reg.exe (PID: 4772)
      • reg.exe (PID: 884)
      • reg.exe (PID: 3224)
      • reg.exe (PID: 5940)
      • reg.exe (PID: 5240)
      • rustdesk.exe (PID: 4600)
      • rustdesk.exe (PID: 5004)
      • rustdesk.exe (PID: 1068)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5332)
      • rustdesk.exe (PID: 2972)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 884)

    • The process executes VB scripts

      • cmd.exe (PID: 1544)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 2728)
      • cscript.exe (PID: 2896)
      • cscript.exe (PID: 5100)

    • Executes as Windows Service

      • rustdesk.exe (PID: 4600)
      • rustdesk.exe (PID: 1068)

    • Adds/modifies Windows certificates

      • rustdesk.exe (PID: 5004)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 1544)

    • Starts itself from another location

      • rustdesk.exe (PID: 240)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2088)

    • There is functionality for taking screenshot (YARA)

      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 1068)
      • rustdesk.exe (PID: 5332)
      • rustdesk.exe (PID: 5484)

  • INFO

    • Checks supported languages

      • rustdesk.exe (PID: 5908)
      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 5248)
      • rustdesk.exe (PID: 240)
      • chcp.com (PID: 2824)
      • chcp.com (PID: 2728)
      • rustdesk.exe (PID: 2612)
      • rustdesk.exe (PID: 4600)
      • rustdesk.exe (PID: 5004)
      • chcp.com (PID: 2916)
      • rustdesk.exe (PID: 1068)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5332)
      • rustdesk.exe (PID: 2972)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 884)

    • Creates files or folders in the user directory

      • rustdesk.exe (PID: 5908)
      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 5248)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 2612)
      • rustdesk.exe (PID: 5004)
      • rustdesk.exe (PID: 5332)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 884)

    • Reads the computer name

      • rustdesk.exe (PID: 5248)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 2612)
      • rustdesk.exe (PID: 4600)
      • rustdesk.exe (PID: 5004)
      • rustdesk.exe (PID: 1068)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5332)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 884)
      • rustdesk.exe (PID: 2972)
      • rustdesk.exe (PID: 3168)

    • Reads Environment values

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 3972)

    • Reads product name

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5484)

    • Reads Windows Product ID

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 240)
      • rustdesk.exe (PID: 5484)

    • Checks proxy server information

      • rustdesk.exe (PID: 3168)
      • rustdesk.exe (PID: 5484)

    • Create files in a temporary directory

      • rustdesk.exe (PID: 240)
      • cscript.exe (PID: 2896)
      • cscript.exe (PID: 5100)
      • cscript.exe (PID: 2728)

    • Creates files in the program directory

      • cmd.exe (PID: 1544)
      • xcopy.exe (PID: 1296)

    • Process checks computer location settings

      • rustdesk.exe (PID: 240)

    • Drops the executable file immediately after the start

      • xcopy.exe (PID: 1296)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 5100)
      • cscript.exe (PID: 2896)
      • cscript.exe (PID: 2728)

    • Reads the machine GUID from the registry

      • rustdesk.exe (PID: 3972)
      • rustdesk.exe (PID: 5484)
      • rustdesk.exe (PID: 3168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:11:14 01:42:47+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 334336
InitializedDataSize: 20407808
UninitializedDataSize: -
EntryPoint: 0x42e20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.2.4.39
ProductVersionNumber: 1.2.4.39
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: com.carriez
FileDescription: rustdesk
FileVersion: 1.2.4+39
InternalName: rustdesk
LegalCopyright: Copyright (C) 2023 com.carriez. All rights reserved.
OriginalFileName: rustdesk.exe
ProductName: rustdesk
ProductVersion: 1.2.4+39
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
203
Monitored processes
79
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start rustdesk.exe taskkill.exe no specs conhost.exe no specs #RUSTDESK rustdesk.exe cmd.exe no specs rustdesk.exe no specs conhost.exe no specs taskkill.exe no specs rustdesk.exe no specs cmd.exe conhost.exe no specs chcp.com no specs sc.exe no specs sc.exe no specs taskkill.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs rustdesk.exe no specs reg.exe no specs chcp.com no specs xcopy.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs THREAT rustdesk.exe no specs #RUSTDESK rustdesk.exe reg.exe no specs cmd.exe no specs THREAT rustdesk.exe no specs conhost.exe no specs cmd.exe no specs rustdesk.exe no specs conhost.exe no specs timeout.exe no specs taskkill.exe no specs THREAT rustdesk.exe rustdesk.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Users\admin\AppData\Local\rustdesk\.\rustdesk.exe" --installC:\Users\admin\AppData\Local\rustdesk\rustdesk.exerustdesk.exe
User:
admin
Company:
com.carriez
Integrity Level:
MEDIUM
Description:
rustdesk
Exit code:
3221225547
Version:
1.2.4+39
Modules
Images
c:\users\admin\appdata\local\rustdesk\rustdesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\users\admin\appdata\local\rustdesk\desktop_drop_plugin.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
448reg add HKEY_CLASSES_ROOT\rustdesk /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
780reg add HKEY_CLASSES_ROOT\rustdesk\shell /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
884reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v EstimatedSize /t REG_DWORD /d 255C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
884"C:\Program Files\RustDesk\RustDesk.exe" --check-hwcodec-configC:\Program Files\RustDesk\rustdesk.exerustdesk.exe
User:
admin
Company:
com.carriez
Integrity Level:
MEDIUM
Description:
rustdesk
Exit code:
0
Version:
1.2.4+39
Modules
Images
c:\program files\rustdesk\rustdesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\program files\rustdesk\desktop_drop_plugin.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
900sc start RustDeskC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1053
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
900reg add HKEY_CLASSES_ROOT\rustdesk\shell\open\command /f /ve /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\" \"%1\""C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1068"C:\Program Files\RustDesk\RustDesk.exe" --serviceC:\Program Files\RustDesk\rustdesk.exe
services.exe
User:
SYSTEM
Company:
com.carriez
Integrity Level:
SYSTEM
Description:
rustdesk
Version:
1.2.4+39
Modules
Images
c:\program files\rustdesk\rustdesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\program files\rustdesk\desktop_drop_plugin.dll
c:\program files\rustdesk\desktop_multi_window_plugin.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
1296XCOPY "C:\Users\admin\AppData\Local\rustdesk" "C:\Program Files\RustDesk" /Y /E /H /C /I /K /R /ZC:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
21 381
Read events
21 347
Write events
32
Delete events
2

Modification events

(PID) Process:(240) rustdesk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(240) rustdesk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(240) rustdesk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(240) rustdesk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2448) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayIcon
Value:
C:\Program Files\RustDesk\RustDesk.exe
(PID) Process:(2088) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayName
Value:
RustDesk
(PID) Process:(4136) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayVersion
Value:
1.2.4
(PID) Process:(2972) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:Version
Value:
1.2.4
(PID) Process:(2260) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:BuildDate
Value:
2023-11-14 01:30
(PID) Process:(5732) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:InstallLocation
Value:
C:\Program Files\RustDesk
Executable files
34
Suspicious files
29
Text files
159
Unknown types
10

Dropped files

PID
Process
Filename
Type
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\data\app.so
MD5:
SHA256:
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\desktop_drop_plugin.dllexecutable
MD5:886DDA51D7688A453CFA9357A61A8DCB
SHA256:C812E27866979E18771E3F36882D573E8115CF8D1C56387508687C7A89ED1912
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\rustdesk.exeexecutable
MD5:B2629317FE5335AAB4BAE0D140A5E819
SHA256:4536FBC2682D8C543D3A86E80C7B5723FF025B8236866A78AFE497790272B382
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\librustdesk.dllexecutable
MD5:3289202B6E3244477CEDDE6832767024
SHA256:AC2A689B618E86D98DC002F8A5D6C4CD6A763143805975EAFD5999A805E37FFE
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\url_launcher_windows_plugin.dllexecutable
MD5:29F5FF5D9F985E0644C0208CD3834FD0
SHA256:F8A1E50CFFDFB32FF9826034268F5F95DE6B630BD4C071E30BF98D8BD0FD01BC
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\dylib_virtual_display.dllexecutable
MD5:1E079D3D4CA3E0ACAC77F0D4B2CCDCB2
SHA256:67A44EF56CC2A329D71C7AFE12F3A33DF2D38716661A490D931D372CA3B5E642
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\texture_rgba_renderer_plugin.dllexecutable
MD5:A9C2EDF331478D72770B455191F0FC07
SHA256:CCEE34B743792446803B608ADA911CEACD84455BF808B7F37C9C0F04A8232156
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\screen_retriever_plugin.dllexecutable
MD5:014556231D2A7ACFAEEDEB68C2B14144
SHA256:8841E7E3EC6E472B5060EDD43A70712CEE254C1B984B899A3C6D849ADE635442
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\RustDeskIddDriver.cerder
MD5:5C78063C973AD47F8F63BBE7CD4517FB
SHA256:7427555550E96A0C93FD48FCED170B614284F182349995AEB4ADC9CFD2AFEE80
5908rustdesk.exeC:\Users\admin\AppData\Local\rustdesk\data\icudtl.datbinary
MD5:CF772CF9F6CA67F592FE47DA2A15ADB1
SHA256:AC44CCC3F61BF630BB20FB8043D86CFE4C8995D06B460084400DB45D70497B30
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
46
DNS requests
7
Threats
104

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1272
RUXIMICS.exe
GET
200
2.16.164.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2064
MoUsoCoreWorker.exe
GET
200
2.16.164.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1272
RUXIMICS.exe
GET
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2064
MoUsoCoreWorker.exe
GET
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3972
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/sysinfo
unknown
unknown
3972
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/heartbeat
unknown
unknown
3168
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/sysinfo
unknown
unknown
3972
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/heartbeat
unknown
unknown
3972
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/heartbeat
unknown
unknown
3972
rustdesk.exe
POST
81.219.193.10:21114
http://81.219.193.10:21114/api/heartbeat
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4392
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
1272
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2064
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1272
RUXIMICS.exe
2.16.164.34:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
2064
MoUsoCoreWorker.exe
2.16.164.34:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
3168
rustdesk.exe
81.219.193.10:21116
unknown
3168
rustdesk.exe
81.219.193.10:21115
Netia SA
PL
unknown
1272
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.34
  • 2.16.164.32
  • 2.16.164.24
  • 2.16.164.17
  • 2.16.164.106
  • 2.16.164.72
  • 2.16.164.120
  • 2.16.164.51
whitelisted
github.com
  • 140.82.121.4
shared
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted

Threats

PID
Process
Class
Message
3168
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3168
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
3972
rustdesk.exe
Misc activity
ET INFO RustDesk Register Public Key
20 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rustdesk.exe