File name:

anydesk-2.exe

Full analysis: https://app.any.run/tasks/34604faa-02a9-4672-bafe-490e557e3656
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: December 02, 2024, 13:22:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
anydesk
tool
adware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

9A1D9FE9B1223273C314632D04008384

SHA1:

665CAD3ED21F6443D1ADACF18CA45DFAA8F52C99

SHA256:

0F4BF8506A2560C568B9815124DFC43A11C561ED611829DF841EC7ABA8302359

SSDEEP:

98304:6+NmU7afvNN5+N6F8c5AvtfXmJ+PigmgG:6+NmcaNNH8UotnmL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been detected (SURICATA)

      • anydesk-2.exe (PID: 1556)

  • SUSPICIOUS

    • Found AnyDesk certificate that may have been compromised

      • anydesk-2.exe (PID: 5400)
      • anydesk-2.exe (PID: 1556)
      • anydesk-2.exe (PID: 1228)

    • Application launched itself

      • anydesk-2.exe (PID: 5400)

    • ANYDESK has been found

      • anydesk-2.exe (PID: 5400)

    • Executable content was dropped or overwritten

      • anydesk-2.exe (PID: 1556)

    • Potential Corporate Privacy Violation

      • anydesk-2.exe (PID: 1556)

    • Access to an unwanted program domain was detected

      • anydesk-2.exe (PID: 1556)

  • INFO

    • Creates files or folders in the user directory

      • anydesk-2.exe (PID: 5400)

    • Process checks whether UAC notifications are on

      • anydesk-2.exe (PID: 5400)

    • The process uses the downloaded file

      • anydesk-2.exe (PID: 5400)

    • Reads the computer name

      • anydesk-2.exe (PID: 5400)
      • anydesk-2.exe (PID: 1556)
      • anydesk-2.exe (PID: 1228)

    • Checks supported languages

      • anydesk-2.exe (PID: 5400)
      • anydesk-2.exe (PID: 1556)
      • anydesk-2.exe (PID: 1228)

    • Reads the machine GUID from the registry

      • anydesk-2.exe (PID: 1556)

    • Reads CPU info

      • anydesk-2.exe (PID: 5400)

    • Checks proxy server information

      • anydesk-2.exe (PID: 1228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:10:18 11:28:46+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 3971072
UninitializedDataSize: 13142528
EntryPoint: 0x1ce9
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.1.6.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 7.1.6
ProductName: AnyDesk
ProductVersion: 7.1
LegalCopyright: (C) 2022 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start anydesk-2.exe no specs #ADWARE anydesk-2.exe anydesk-2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Users\admin\Desktop\anydesk-2.exe" --local-controlC:\Users\admin\Desktop\anydesk-2.exeanydesk-2.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
7.1.6
Modules
Images
c:\users\admin\desktop\anydesk-2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
1556"C:\Users\admin\Desktop\anydesk-2.exe" --local-serviceC:\Users\admin\Desktop\anydesk-2.exe
anydesk-2.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
7.1.6
Modules
Images
c:\users\admin\desktop\anydesk-2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
5400"C:\Users\admin\Desktop\anydesk-2.exe" C:\Users\admin\Desktop\anydesk-2.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
7.1.6
Modules
Images
c:\users\admin\desktop\anydesk-2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
Total events
738
Read events
738
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5400anydesk-2.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X4R0QXENCI9ZKMJF6JGQ.tempbinary
MD5:AB042F6A0E8607780953C8B6EBBF4ECB
SHA256:535261FD1BE2F56A78C27171AF34B375BA78B7FDC3E43EBFFD61ACDA105351F2
1556anydesk-2.exeC:\Users\admin\Desktop\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
1556anydesk-2.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conftext
MD5:0C04AD1083DC5C7C45E3EE2CD344AE38
SHA256:6452273C017DB7CBE0FFC5B109BBF3F8D3282FB91BFA3C5EABC4FB8F1FC98CB0
5400anydesk-2.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-msbinary
MD5:AB042F6A0E8607780953C8B6EBBF4ECB
SHA256:535261FD1BE2F56A78C27171AF34B375BA78B7FDC3E43EBFFD61ACDA105351F2
1556anydesk-2.exeC:\Users\admin\AppData\Roaming\AnyDesk\service.conftext
MD5:8837BA65CAEF83DD60A40BB86A2C4ED0
SHA256:98946C866E05A0E239C9EDE1ACA6656592DC1D9AF8283A70B264F29569F006DE
5400anydesk-2.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conftext
MD5:5059D0251F3292C45A54E0AB40CCA733
SHA256:88D22B3A6A8BCB3AB03CFAC5EEF7FDF1CF4C99E17576D05997D2F0DFC96B8189
1556anydesk-2.exeC:\Users\admin\AppData\Local\Temp\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
36
DNS requests
11
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1556
anydesk-2.exe
POST
200
18.245.86.84:80
http://api.playanext.com/httpapi
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5848
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.24:443
www.bing.com
Akamai International B.V.
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1556
anydesk-2.exe
57.129.37.157:443
boot.net.anydesk.com
FR
whitelisted
1556
anydesk-2.exe
57.129.37.157:80
boot.net.anydesk.com
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 92.123.104.24
  • 92.123.104.19
  • 92.123.104.21
  • 92.123.104.17
  • 92.123.104.14
  • 92.123.104.20
  • 92.123.104.15
  • 92.123.104.22
  • 92.123.104.16
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
boot.net.anydesk.com
  • 57.129.37.157
whitelisted
relay-cbc983d7.net.anydesk.com
  • 209.58.171.198
whitelisted
relay-f3ecc32f.net.anydesk.com
  • 103.107.198.86
whitelisted
api.playanext.com
  • 18.245.86.79
  • 18.245.86.26
  • 18.245.86.105
  • 18.245.86.84
whitelisted
relay-44ae70a8.net.anydesk.com
  • 203.27.106.3
whitelisted

Threats

PID
Process
Class
Message
1556
anydesk-2.exe
Potential Corporate Privacy Violation
ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
1556
anydesk-2.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Driver Updater Setup Process
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
anydesk-2.exe