File name:

AnyDesk (2).exe

Full analysis: https://app.any.run/tasks/fe49a08a-4c31-4611-a443-a22fc0858e4b
Verdict: Malicious activity
Analysis date: January 28, 2024, 00:06:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

40483C4AC249B747060AC46CCE13AB6F

SHA1:

0B82B980EEA1E8D2BE9E70E01FE1421AA38ABC7D

SHA256:

1D0D0A6C3770C390744033232A8DE0BF682716849EBC2866118C65C51CF5D4D9

SSDEEP:

98304:8DmuJ3cTQ0ANeaNzz+iPjmjzb7cT3eiuqgYvGX0VWJ1ZnhbQ9DN8AGY4wjUCwk5Q:vFF/T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AnyDesk (2).exe (PID: 2568)
      • AnyDesk (2).exe (PID: 680)

  • SUSPICIOUS

    • Reads the Internet Settings

      • AnyDesk (2).exe (PID: 2740)
      • AnyDesk (2).exe (PID: 680)

    • Application launched itself

      • AnyDesk (2).exe (PID: 2568)
      • AnyDesk (2).exe (PID: 680)
      • AnyDesk (2).exe (PID: 1932)

    • Executable content was dropped or overwritten

      • AnyDesk (2).exe (PID: 680)

    • Connects to unusual port

      • AnyDesk (2).exe (PID: 680)

  • INFO

    • Creates files or folders in the user directory

      • AnyDesk (2).exe (PID: 2568)
      • AnyDesk (2).exe (PID: 680)

    • Reads the computer name

      • AnyDesk (2).exe (PID: 2568)
      • AnyDesk (2).exe (PID: 680)
      • AnyDesk (2).exe (PID: 2740)
      • AnyDesk (2).exe (PID: 1932)
      • AnyDesk (2).exe (PID: 3024)
      • NLBrute 1.2 x64 & VPN - KeyGen.exe (PID: 560)
      • AnyDesk (2).exe (PID: 2016)

    • Checks supported languages

      • AnyDesk (2).exe (PID: 2568)
      • AnyDesk (2).exe (PID: 680)
      • AnyDesk (2).exe (PID: 2740)
      • AnyDesk (2).exe (PID: 2016)
      • AnyDesk (2).exe (PID: 1932)
      • AnyDesk (2).exe (PID: 3024)
      • NLBrute 1.2 x64 & VPN - KeyGen.exe (PID: 560)

    • Process checks whether UAC notifications are on

      • AnyDesk (2).exe (PID: 2568)

    • Reads the machine GUID from the registry

      • AnyDesk (2).exe (PID: 680)
      • AnyDesk (2).exe (PID: 2568)
      • AnyDesk (2).exe (PID: 2740)
      • NLBrute 1.2 x64 & VPN - KeyGen.exe (PID: 560)

    • Reads CPU info

      • AnyDesk (2).exe (PID: 2568)

    • Manual execution by a user

      • NLBrute 1.2 x64 & VPN - KeyGen.exe (PID: 560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:16 14:10:29+01:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 5182976
UninitializedDataSize: 19082752
EntryPoint: 0x1ce5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 8.0.7.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 8.0.7
ProductName: AnyDesk
ProductVersion: 8
LegalCopyright: (C) 2022 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start anydesk (2).exe no specs anydesk (2).exe anydesk (2).exe no specs anydesk (2).exe no specs anydesk (2).exe anydesk (2).exe nlbrute 1.2 x64 & vpn - keygen.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
560"C:\Users\admin\Desktop\NLBrute 1.2 x64 & VPN - KeyGen.exe" C:\Users\admin\Desktop\NLBrute 1.2 x64 & VPN - KeyGen.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\nlbrute 1.2 x64 & vpn - keygen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
680"C:\Users\admin\AppData\Local\Temp\AnyDesk (2).exe" --local-serviceC:\Users\admin\AppData\Local\Temp\AnyDesk (2).exe
AnyDesk (2).exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
1073807364
Version:
8.0.7
Modules
Images
c:\users\admin\appdata\local\temp\anydesk (2).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1932"C:\Users\admin\AppData\Local\Temp\AnyDesk (2).exe" --backproxy-systemC:\Users\admin\AppData\Local\Temp\AnyDesk (2).exe
AnyDesk (2).exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
HIGH
Description:
AnyDesk
Exit code:
251661264
Version:
8.0.7
Modules
Images
c:\users\admin\appdata\local\temp\anydesk (2).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2016"C:\Users\admin\AppData\Local\Temp\AnyDesk (2).exe" --backendC:\Users\admin\AppData\Local\Temp\AnyDesk (2).exeAnyDesk (2).exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.7
Modules
Images
c:\users\admin\appdata\local\temp\anydesk (2).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2568"C:\Users\admin\AppData\Local\Temp\AnyDesk (2).exe" C:\Users\admin\AppData\Local\Temp\AnyDesk (2).exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
1073807364
Version:
8.0.7
Modules
Images
c:\users\admin\appdata\local\temp\anydesk (2).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2740"C:\Users\admin\AppData\Local\Temp\AnyDesk (2).exe" --local-controlC:\Users\admin\AppData\Local\Temp\AnyDesk (2).exeAnyDesk (2).exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.7
Modules
Images
c:\users\admin\appdata\local\temp\anydesk (2).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3024"C:\Users\admin\AppData\Local\Temp\AnyDesk (2).exe" --backendC:\Users\admin\AppData\Local\Temp\AnyDesk (2).exe
AnyDesk (2).exe
User:
SYSTEM
Company:
AnyDesk Software GmbH
Integrity Level:
SYSTEM
Description:
AnyDesk
Exit code:
1073807364
Version:
8.0.7
Modules
Images
c:\users\admin\appdata\local\temp\anydesk (2).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
3 199
Read events
3 188
Write events
11
Delete events
0

Modification events

(PID) Process:(680) AnyDesk (2).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(680) AnyDesk (2).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(680) AnyDesk (2).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(680) AnyDesk (2).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3024) AnyDesk (2).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:Name
Value:
flashplayer32ax_xa_install.exe
(PID) Process:(3024) AnyDesk (2).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:Name
Value:
AnyDesk (2).exe
Executable files
1
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2568AnyDesk (2).exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conftext
MD5:A787C308BD30D6D844E711D7579BE552
SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
2568AnyDesk (2).exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\05P5OHEYGGL4GZARUF2X.tempbinary
MD5:3CBA962C95C26403E33A9E115A5BF676
SHA256:3DEFEBFE895CBC22938092EDD3694FB631D9C107EFDE9CE4EEC8E1715CE31E3B
2568AnyDesk (2).exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-msbinary
MD5:3CBA962C95C26403E33A9E115A5BF676
SHA256:3DEFEBFE895CBC22938092EDD3694FB631D9C107EFDE9CE4EEC8E1715CE31E3B
680AnyDesk (2).exeC:\Users\admin\AppData\Local\Temp\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
680AnyDesk (2).exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conftext
MD5:0C04AD1083DC5C7C45E3EE2CD344AE38
SHA256:6452273C017DB7CBE0FFC5B109BBF3F8D3282FB91BFA3C5EABC4FB8F1FC98CB0
680AnyDesk (2).exeC:\Users\admin\AppData\Roaming\AnyDesk\connection_trace.txtbinary
MD5:35BC0CF06F833D5D948A8F8C7EC1B098
SHA256:D1B0D388548EE74ED3CFEBCD6BA75FD40C957F59FBA792757AA9C701830A2E41
680AnyDesk (2).exeC:\Users\admin\AppData\Roaming\AnyDesk\service.conftext
MD5:A5349A370481E6C662DFDE90F1883B35
SHA256:EC92F5E50C3DFD8DB490426BF92F221EDCB6AD17CAEEFD8C580141A23EDD2032
560NLBrute 1.2 x64 & VPN - KeyGen.exeC:\Users\admin\Desktop\key.txttext
MD5:EA16E420E508E4866C12480EDFEBCCFA
SHA256:7C53369742D035FA9194606DA9A31A86A7D7113930AA7B7C0C94488E72399598
1932AnyDesk (2).exeC:\Users\admin\AppData\Roaming\AnyDesk\ad.tracetext
MD5:FFF843C16AB0FA6E64A9BFC04F998DB7
SHA256:EE200B21F13D4B1228984E1D7CFE41F6F9118CFBA273E7AFBF7FFDE5F2394272
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
25
DNS requests
2
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
680
AnyDesk (2).exe
185.229.190.236:443
boot.net.anydesk.com
Datacamp Limited
NL
unknown
680
AnyDesk (2).exe
208.115.231.118:443
relay-50d24364.net.anydesk.com
LIMESTONENETWORKS
US
unknown
680
AnyDesk (2).exe
195.123.212.169:39583
ITL LLC
LV
unknown
680
AnyDesk (2).exe
195.123.212.169:7070
ITL LLC
LV
unknown

DNS requests

Domain
IP
Reputation
boot.net.anydesk.com
  • 185.229.190.236
unknown
relay-50d24364.net.anydesk.com
  • 208.115.231.118
unknown

Threats

PID
Process
Class
Message
680
AnyDesk (2).exe
Misc activity
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnyDesk (2).exe