File name:

AnyDesk (2).exe

Full analysis: https://app.any.run/tasks/efb7124d-6f07-46bf-aa09-a4f9ce6c306e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 27, 2024, 21:21:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
banker
stealer
qbot
qakbot
quakbot
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

40483C4AC249B747060AC46CCE13AB6F

SHA1:

0B82B980EEA1E8D2BE9E70E01FE1421AA38ABC7D

SHA256:

1D0D0A6C3770C390744033232A8DE0BF682716849EBC2866118C65C51CF5D4D9

SSDEEP:

98304:8DmuJ3cTQ0ANeaNzz+iPjmjzb7cT3eiuqgYvGX0VWJ1ZnhbQ9DN8AGY4wjUCwk5Q:vFF/T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AnyDesk (2).exe (PID: 6128)
      • AnyDesk (2).exe (PID: 4780)

    • QAKBOT has been detected (SURICATA)

      • AnyDesk (2).exe (PID: 4780)

  • SUSPICIOUS

    • Connects to unusual port

      • AnyDesk (2).exe (PID: 4780)

    • Executable content was dropped or overwritten

      • AnyDesk (2).exe (PID: 4780)

    • Application launched itself

      • AnyDesk (2).exe (PID: 6128)

  • INFO

    • Process checks whether UAC notifications are on

      • AnyDesk (2).exe (PID: 6128)

    • Creates files or folders in the user directory

      • AnyDesk (2).exe (PID: 6128)

    • Checks supported languages

      • AnyDesk (2).exe (PID: 4780)
      • AnyDesk (2).exe (PID: 6128)
      • AnyDesk (2).exe (PID: 3920)

    • Checks proxy server information

      • AnyDesk (2).exe (PID: 3920)

    • Reads the machine GUID from the registry

      • AnyDesk (2).exe (PID: 4780)

    • Reads CPU info

      • AnyDesk (2).exe (PID: 6128)

    • Process checks computer location settings

      • AnyDesk (2).exe (PID: 3920)
      • AnyDesk (2).exe (PID: 4780)

    • Reads the computer name

      • AnyDesk (2).exe (PID: 3920)
      • AnyDesk (2).exe (PID: 4780)
      • AnyDesk (2).exe (PID: 6128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:16 14:10:29+01:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 5182976
UninitializedDataSize: 19082752
EntryPoint: 0x1ce5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 8.0.7.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 8.0.7
ProductName: AnyDesk
ProductVersion: 8
LegalCopyright: (C) 2022 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start anydesk (2).exe no specs #QAKBOT anydesk (2).exe anydesk (2).exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3920"C:\Users\admin\Desktop\AnyDesk (2).exe" --local-controlC:\Users\admin\Desktop\AnyDesk (2).exeAnyDesk (2).exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.7
Modules
Images
c:\users\admin\desktop\anydesk (2).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
4780"C:\Users\admin\Desktop\AnyDesk (2).exe" --local-serviceC:\Users\admin\Desktop\AnyDesk (2).exe
AnyDesk (2).exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.7
Modules
Images
c:\users\admin\desktop\anydesk (2).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
5252C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6128"C:\Users\admin\Desktop\AnyDesk (2).exe" C:\Users\admin\Desktop\AnyDesk (2).exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.7
Modules
Images
c:\users\admin\desktop\anydesk (2).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
Total events
677
Read events
677
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6128AnyDesk (2).exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conftext
MD5:A787C308BD30D6D844E711D7579BE552
SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
6128AnyDesk (2).exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V3TFG7Z4DHDR08TVB2WF.tempbinary
MD5:ABFF43B4AD7D999BCF3E3FDF235ABB53
SHA256:B22B30730415C96E3E34FBCEE76EA15D6CD1E3E037AF259EF5554DD927F9A248
5252FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-01-27.2125.5252.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
4780AnyDesk (2).exeC:\Users\admin\Desktop\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
4780AnyDesk (2).exeC:\Users\admin\AppData\Roaming\AnyDesk\service.conftext
MD5:29DB3C9FB6D8F3542322B52D3D59CDC4
SHA256:9830C1AD0539C48D5115FC3DC15892BD8933CC99043DB4DA78769EE607C8BB75
4780AnyDesk (2).exeC:\Users\admin\AppData\Local\Temp\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
5252FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-01-27.2125.5252.1.odlbinary
MD5:A6628213248EC3A3982FBB7DAF833287
SHA256:7C737E944A0F03850A2A67DC4A800811F2155D4375F2AEC5FF14833847CA2569
4780AnyDesk (2).exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conftext
MD5:0C04AD1083DC5C7C45E3EE2CD344AE38
SHA256:6452273C017DB7CBE0FFC5B109BBF3F8D3282FB91BFA3C5EABC4FB8F1FC98CB0
6128AnyDesk (2).exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-msbinary
MD5:ABFF43B4AD7D999BCF3E3FDF235ABB53
SHA256:B22B30730415C96E3E34FBCEE76EA15D6CD1E3E037AF259EF5554DD927F9A248
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
95
DNS requests
27
Threats
32

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4780
AnyDesk (2).exe
POST
200
18.245.86.79:80
http://api.playanext.com/httpapi
unknown
unknown
5940
SIHClient.exe
GET
200
52.165.165.26:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
5940
SIHClient.exe
GET
304
52.165.165.26:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
5940
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
binary
813 b
unknown
5940
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
binary
824 b
unknown
5940
SIHClient.exe
GET
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
5940
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
binary
401 b
unknown
5940
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
binary
555 b
unknown
5940
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
5940
SIHClient.exe
GET
200
52.165.165.26:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
compressed
24.8 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4780
AnyDesk (2).exe
92.223.88.232:443
boot.net.anydesk.com
G-Core Labs S.A.
LU
unknown
4780
AnyDesk (2).exe
92.223.88.232:80
boot.net.anydesk.com
G-Core Labs S.A.
LU
unknown
4780
AnyDesk (2).exe
195.181.165.139:443
relay-2cf7befd.net.anydesk.com
Datacamp Limited
GB
unknown
4780
AnyDesk (2).exe
195.181.165.139:80
relay-2cf7befd.net.anydesk.com
Datacamp Limited
GB
unknown
4780
AnyDesk (2).exe
195.181.165.139:6568
relay-2cf7befd.net.anydesk.com
Datacamp Limited
GB
unknown
4780
AnyDesk (2).exe
57.128.141.163:443
relay-ad195ac5.net.anydesk.com
OVH SAS
FR
unknown
4780
AnyDesk (2).exe
57.128.141.163:80
relay-ad195ac5.net.anydesk.com
OVH SAS
FR
unknown
4780
AnyDesk (2).exe
18.245.86.79:80
api.playanext.com
US
unknown
4780
AnyDesk (2).exe
57.128.141.165:443
relay-0135ac48.net.anydesk.com
OVH SAS
FR
unknown
4780
AnyDesk (2).exe
57.128.141.165:80
relay-0135ac48.net.anydesk.com
OVH SAS
FR
unknown

DNS requests

Domain
IP
Reputation
boot.net.anydesk.com
  • 92.223.88.232
  • 37.59.29.33
unknown
relay-2cf7befd.net.anydesk.com
  • 195.181.165.139
unknown
relay-ad195ac5.net.anydesk.com
  • 57.128.141.163
unknown
api.playanext.com
  • 18.245.86.105
  • 18.245.86.26
  • 18.245.86.84
  • 18.245.86.79
whitelisted
relay-0135ac48.net.anydesk.com
  • 57.128.141.165
unknown
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted
relay-d4aa0625.net.anydesk.com
  • 57.128.141.164
unknown
relay-aeafd8c0.net.anydesk.com
  • 57.128.141.154
unknown
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted

Threats

PID
Process
Class
Message
4780
AnyDesk (2).exe
Misc activity
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
4780
AnyDesk (2).exe
Potential Corporate Privacy Violation
ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
4780
AnyDesk (2).exe
A Network Trojan was detected
LOADER [ANY.RUN] QakBot TLS Certificate
4780
AnyDesk (2).exe
A Network Trojan was detected
LOADER [ANY.RUN] QakBot TLS Certificate
4780
AnyDesk (2).exe
A Network Trojan was detected
LOADER [ANY.RUN] QakBot TLS Certificate
4780
AnyDesk (2).exe
A Network Trojan was detected
LOADER [ANY.RUN] QakBot TLS Certificate
4780
AnyDesk (2).exe
A Network Trojan was detected
LOADER [ANY.RUN] QakBot TLS Certificate
4780
AnyDesk (2).exe
A Network Trojan was detected
LOADER [ANY.RUN] QakBot TLS Certificate
4780
AnyDesk (2).exe
A Network Trojan was detected
LOADER [ANY.RUN] QakBot TLS Certificate
4780
AnyDesk (2).exe
A Network Trojan was detected
LOADER [ANY.RUN] QakBot TLS Certificate
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnyDesk (2).exe