File name:

anydesk.exe

Full analysis: https://app.any.run/tasks/89826fe1-d30a-45c5-a436-08d1b6afe779
Verdict: Malicious activity
Analysis date: February 05, 2024, 02:22:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2621B754576047A6E94ACBF1DD4FE0EF

SHA1:

246F36118C53AC7421518DBC9BB4259128F3C417

SHA256:

109B03FFC45231E5A4C8805A10926492890F7B568F8A93ABE1FA495B4BD42975

SSDEEP:

98304:6W0Ughn1zD8gmJUikb59sFaZw3abaqt8+Uen/xIZ:6WBCn5D8gmJUrvsFaZw3HsJIZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • anydesk.exe (PID: 1392)
      • anydesk.exe (PID: 2028)

  • SUSPICIOUS

    • Application launched itself

      • anydesk.exe (PID: 1392)

    • Reads the Internet Settings

      • anydesk.exe (PID: 4092)

    • Executable content was dropped or overwritten

      • anydesk.exe (PID: 2028)

  • INFO

    • Reads the computer name

      • anydesk.exe (PID: 1392)
      • anydesk.exe (PID: 2028)
      • anydesk.exe (PID: 4092)

    • Checks supported languages

      • anydesk.exe (PID: 1392)
      • anydesk.exe (PID: 2028)
      • anydesk.exe (PID: 4092)

    • Process checks whether UAC notifications are on

      • anydesk.exe (PID: 1392)

    • Creates files or folders in the user directory

      • anydesk.exe (PID: 1392)

    • Reads the machine GUID from the registry

      • anydesk.exe (PID: 1392)
      • anydesk.exe (PID: 2028)

    • Reads CPU info

      • anydesk.exe (PID: 1392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:08:08 11:23:44+02:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 3824640
UninitializedDataSize: 12487168
EntryPoint: 0x1ce9
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.0.14.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 7.0.14
ProductName: AnyDesk
ProductVersion: 7
LegalCopyright: (C) 2022 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start anydesk.exe no specs anydesk.exe anydesk.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1392"C:\Users\admin\AppData\Local\Temp\anydesk.exe" C:\Users\admin\AppData\Local\Temp\anydesk.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
7.0.14
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2028"C:\Users\admin\AppData\Local\Temp\anydesk.exe" --local-serviceC:\Users\admin\AppData\Local\Temp\anydesk.exe
anydesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
7.0.14
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4092"C:\Users\admin\AppData\Local\Temp\anydesk.exe" --local-controlC:\Users\admin\AppData\Local\Temp\anydesk.exeanydesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
7.0.14
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 218
Read events
1 218
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
5
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2028anydesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conftext
MD5:979412445E04EDDDB523BBF64F2D9E25
SHA256:C253A9DB55EFEB183543BAA5965F0D279B0E4ECD7E6211E231E8E8F5C8DFE596
1392anydesk.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RF163a9c.TMPbinary
MD5:7B05929E26FB33A79FC26895A7FE9D3A
SHA256:1DDBCCF330F29EDBDC6DB5A27FED823397BE0F851566A45BECB24F81E2D268F4
2028anydesk.exeC:\Users\admin\AppData\Local\Temp\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
2028anydesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\service.conftext
MD5:8CBEC9E0D100C88944CA5F906941BBEB
SHA256:5396B26A2834D64A98E0E8015D390825B5FE5DF1249D737DECAA8152E19BDA4D
1392anydesk.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JQ3SC0UIWVTMH8JA7UM1.tempbinary
MD5:7B05929E26FB33A79FC26895A7FE9D3A
SHA256:1DDBCCF330F29EDBDC6DB5A27FED823397BE0F851566A45BECB24F81E2D268F4
1392anydesk.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KF2JSQH8YC1E1TGIIRE0.tempbinary
MD5:7B05929E26FB33A79FC26895A7FE9D3A
SHA256:1DDBCCF330F29EDBDC6DB5A27FED823397BE0F851566A45BECB24F81E2D268F4
1392anydesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conftext
MD5:5059D0251F3292C45A54E0AB40CCA733
SHA256:88D22B3A6A8BCB3AB03CFAC5EEF7FDF1CF4C99E17576D05997D2F0DFC96B8189
1392anydesk.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-msbinary
MD5:7B05929E26FB33A79FC26895A7FE9D3A
SHA256:1DDBCCF330F29EDBDC6DB5A27FED823397BE0F851566A45BECB24F81E2D268F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
2
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2028
anydesk.exe
49.12.130.236:443
boot.net.anydesk.com
Hetzner Online GmbH
DE
unknown
2028
anydesk.exe
208.115.231.166:443
relay-a94e7ea4.net.anydesk.com
LIMESTONENETWORKS
US
unknown

DNS requests

Domain
IP
Reputation
boot.net.anydesk.com
  • 49.12.130.236
unknown
relay-a94e7ea4.net.anydesk.com
  • 208.115.231.166
unknown

Threats

PID
Process
Class
Message
2028
anydesk.exe
Misc activity
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
anydesk.exe