File name:

AnyDesk.exe

Full analysis: https://app.any.run/tasks/eb7ea5fa-4674-4b9d-8d2a-ddf6ed161d29
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 13, 2026, 03:57:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anydesk
rmm-tool
adware
Indicators:
MD5:

C48B572A659A1ADE4190421AB2280D87

SHA1:

1CA08190C945786C974156F75262D4FD55A868B0

SHA256:

0B679027E38F3D9CA554085BE0E762C651E83E6414401B56635CDF3765CA1DAC

SSDEEP:

98304:fLdvq6ncATDSSdsvPT+68+1h3ZlnMapRM2yKBXuYUA0KeDbKyPskHF6d7VXNCVpc:saS28Ze3k6aB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been detected (SURICATA)

      • AnyDesk.exe (PID: 5764)

  • SUSPICIOUS

    • ANYDESK has been found

      • AnyDesk.exe (PID: 8456)

    • ANYDESK mutex has been found

      • AnyDesk.exe (PID: 8456)
      • AnyDesk.exe (PID: 4856)
      • AnyDesk.exe (PID: 5764)

    • Application launched itself

      • AnyDesk.exe (PID: 8456)

    • Access to an unwanted program domain was detected

      • AnyDesk.exe (PID: 5764)

    • Potential Corporate Privacy Violation

      • AnyDesk.exe (PID: 5764)

  • INFO

    • The sample compiled with english language support

      • AnyDesk.exe (PID: 8456)

    • Process checks whether UAC notifications are on

      • AnyDesk.exe (PID: 8456)

    • Reads the computer name

      • AnyDesk.exe (PID: 8456)
      • AnyDesk.exe (PID: 4856)
      • AnyDesk.exe (PID: 5764)

    • Checks supported languages

      • AnyDesk.exe (PID: 5764)
      • AnyDesk.exe (PID: 4856)
      • AnyDesk.exe (PID: 8456)

    • Creates files or folders in the user directory

      • AnyDesk.exe (PID: 5764)
      • AnyDesk.exe (PID: 8456)
      • AnyDesk.exe (PID: 4856)

    • Reads the machine GUID from the registry

      • AnyDesk.exe (PID: 5764)

    • Checks proxy server information

      • AnyDesk.exe (PID: 4856)

    • Reads CPU info

      • AnyDesk.exe (PID: 4856)

    • Process checks computer location settings

      • AnyDesk.exe (PID: 4856)
      • AnyDesk.exe (PID: 5764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start anydesk.exe no specs #ADWARE anydesk.exe anydesk.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4856"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" --local-controlC:\Users\admin\AppData\Local\Temp\AnyDesk.exeAnyDesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.6.10
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
5764"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" --local-serviceC:\Users\admin\AppData\Local\Temp\AnyDesk.exe
AnyDesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.6.10
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
8456"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" C:\Users\admin\AppData\Local\Temp\AnyDesk.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.6.10
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
9136C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
984
Read events
984
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
132

Dropped files

PID
Process
Filename
Type
8456AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conf~RF1e5a43.TMP
MD5:
SHA256:
8456AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF1e5a53.TMP
MD5:
SHA256:
5764AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\service.conf~RF1e5ef6.TMP
MD5:
SHA256:
8456AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF1e5b7c.TMPbinary
MD5:388A2B0EE2F05B1A9D3999BB26A16B74
SHA256:1D6C30561CED5E18C52B19191A2884709633DB5558BB8872F230778ECFA08FDD
5764AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\service.confbinary
MD5:0797042D92466FDCE4C28C7FEC0CA263
SHA256:13C5DCC7631BA9BFFE20C03BC72E2B5C8727BDCBA018F25553EADAF8BA1B8031
8456AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.confbinary
MD5:30D30D84FA4D1F9DE1265D81E0468007
SHA256:77EBDC74416647A83A99023793CF73B5E249869FD3ECA267C356A0793E24D97A
8456AnyDesk.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XUAYL20Z65KQ9ZZL4FX9.tempbinary
MD5:C366A90686132FD9564DA77C12941C35
SHA256:FAEF66DC12AAD10FBAD79A4F1ED3A61E6962CAD26A83D29E8B4F4BE079FA1BE8
8456AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.confbinary
MD5:A787C308BD30D6D844E711D7579BE552
SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
8456AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf.newbinary
MD5:A787C308BD30D6D844E711D7579BE552
SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
8456AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF1e5a82.TMPbinary
MD5:A787C308BD30D6D844E711D7579BE552
SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
27
DNS requests
21
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
7544
svchost.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
8532
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
8532
SIHClient.exe
GET
200
20.165.94.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
8532
SIHClient.exe
GET
200
74.178.76.128:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
8532
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
US
binary
313 b
whitelisted
356
svchost.exe
POST
200
40.126.7.32:443
https://login.live.com/RST2.srf
US
binary
10.3 Kb
whitelisted
356
svchost.exe
POST
200
40.126.7.32:443
https://login.live.com/RST2.srf
US
binary
11.1 Kb
whitelisted
356
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7544
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7212
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.204.141:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
20.59.87.225:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5764
AnyDesk.exe
195.181.174.173:443
boot.net.anydesk.com
CDN77 _
GB
suspicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.14
whitelisted
www.bing.com
  • 2.16.204.141
  • 2.16.204.161
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
client.wns.windows.com
  • 20.59.87.225
whitelisted
boot.net.anydesk.com
  • 195.181.174.174
  • 37.59.29.33
  • 57.128.101.77
  • 57.128.101.78
  • 57.128.101.74
  • 141.95.145.210
  • 57.128.101.75
  • 195.181.174.173
unknown
relay-2cf7befd.net.anydesk.com
  • 195.181.165.139
unknown
crl.anydesk.com
whitelisted
api.playanext.com
  • 13.226.244.105
  • 13.226.244.16
  • 13.226.244.85
  • 13.226.244.76
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
5764
AnyDesk.exe
Misc activity
ET REMOTE_ACCESS Observed Anydesk Relay Domain (net .anydesk .com) in TLS SNI
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Domain (boot .net .anydesk .com) in DNS Lookup
5764
AnyDesk.exe
Misc activity
ET REMOTE_ACCESS Observed Anydesk Relay Domain (net .anydesk .com) in TLS SNI
5764
AnyDesk.exe
Misc activity
ET REMOTE_ACCESS Observed Anydesk Domain (boot .net .anydesk .com) in TLS SNI
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
5764
AnyDesk.exe
Not Suspicious Traffic
INFO [ANY.RUN] UDP Query to Cloudflare DNS observed
5764
AnyDesk.exe
Potential Corporate Privacy Violation
ET REMOTE_ACCESS AnyDesk Remote Desktop Software User-Agent
5764
AnyDesk.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Driver Updater Setup Process
7544
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnyDesk.exe