File name:

AnyDesk (1).exe

Full analysis: https://app.any.run/tasks/19533d7b-e8ca-4b06-82bb-8dd368d0baf9
Verdict: Malicious activity
Analysis date: August 05, 2024, 12:14:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C8246DC58903007CCF749A8AD70F5587

SHA1:

0B8B0EC823C7CA36BF821B75E2B92D16868DA05E

SHA256:

347E7D26F98DE9AC2E998739D695028FA761C3F035DBE5890731E30E53A955B3

SSDEEP:

98304:MSNXXPh3aoHMpKCsnjdT38CcmNzRhpp5KADCjP4HGGpABg9wisEoaDv8yz3gUYXh:XtJ7gG6H4pQR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AnyDesk (1).exe (PID: 6392)
      • AnyDesk (1).exe (PID: 6472)
      • AnyDesk (1).exe (PID: 6936)
      • expand.exe (PID: 7128)
      • drvinst.exe (PID: 2224)
      • AnyDesk.exe (PID: 6988)

    • Create files in the Startup directory

      • AnyDesk (1).exe (PID: 6936)

  • SUSPICIOUS

    • Application launched itself

      • AnyDesk (1).exe (PID: 6392)
      • AnyDesk.exe (PID: 6988)

    • Executable content was dropped or overwritten

      • AnyDesk (1).exe (PID: 6472)
      • AnyDesk (1).exe (PID: 6936)
      • expand.exe (PID: 7128)
      • rundll32.exe (PID: 2872)
      • drvinst.exe (PID: 2224)
      • AnyDesk.exe (PID: 6988)

    • Connects to unusual port

      • AnyDesk (1).exe (PID: 6472)
      • AnyDesk.exe (PID: 6988)

    • Reads security settings of Internet Explorer

      • AnyDesk (1).exe (PID: 6392)
      • AnyDesk (1).exe (PID: 6936)

    • Reads the date of Windows installation

      • AnyDesk (1).exe (PID: 6392)
      • AnyDesk (1).exe (PID: 6936)

    • Creates a software uninstall entry

      • AnyDesk (1).exe (PID: 6936)
      • AnyDesk.exe (PID: 6988)

    • Searches for installed software

      • AnyDesk (1).exe (PID: 6480)
      • AnyDesk.exe (PID: 6988)
      • AnyDesk.exe (PID: 7120)
      • AnyDesk.exe (PID: 2468)
      • AnyDesk.exe (PID: 8044)

    • Executes as Windows Service

      • AnyDesk.exe (PID: 6988)

    • Adds/modifies Windows certificates

      • rundll32.exe (PID: 2872)

    • Unpacks CAB file

      • expand.exe (PID: 7128)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2224)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 2224)

    • Potential Corporate Privacy Violation

      • AnyDesk.exe (PID: 6988)

    • The process checks if it is being run in the virtual environment

      • AnyDesk.exe (PID: 8044)

    • Uses RUNDLL32.EXE to load library

      • dllhost.exe (PID: 7980)

  • INFO

    • Reads the computer name

      • AnyDesk (1).exe (PID: 6392)
      • AnyDesk (1).exe (PID: 6472)
      • AnyDesk (1).exe (PID: 6480)
      • AnyDesk (1).exe (PID: 6936)
      • AnyDesk.exe (PID: 6988)
      • AnyDesk.exe (PID: 7120)
      • drvinst.exe (PID: 2224)
      • AnyDesk.exe (PID: 2468)
      • AnyDesk.exe (PID: 8044)
      • TextInputHost.exe (PID: 6904)

    • Checks supported languages

      • AnyDesk (1).exe (PID: 6392)
      • AnyDesk (1).exe (PID: 6472)
      • AnyDesk (1).exe (PID: 6480)
      • AnyDesk (1).exe (PID: 6936)
      • AnyDesk.exe (PID: 6988)
      • AnyDesk.exe (PID: 7120)
      • expand.exe (PID: 7128)
      • drvinst.exe (PID: 2224)
      • AnyDesk.exe (PID: 2468)
      • AnyDesk.exe (PID: 8044)
      • TextInputHost.exe (PID: 6904)

    • Creates files or folders in the user directory

      • AnyDesk (1).exe (PID: 6392)
      • AnyDesk (1).exe (PID: 6472)
      • expand.exe (PID: 7128)
      • AnyDesk (1).exe (PID: 6936)

    • Process checks whether UAC notifications are on

      • AnyDesk (1).exe (PID: 6392)

    • Reads the machine GUID from the registry

      • AnyDesk (1).exe (PID: 6472)
      • AnyDesk.exe (PID: 6988)
      • expand.exe (PID: 7128)
      • drvinst.exe (PID: 2224)
      • AnyDesk.exe (PID: 2468)

    • Checks proxy server information

      • AnyDesk (1).exe (PID: 6480)
      • AnyDesk.exe (PID: 7120)

    • Reads CPU info

      • AnyDesk (1).exe (PID: 6392)
      • AnyDesk.exe (PID: 2468)

    • Process checks computer location settings

      • AnyDesk (1).exe (PID: 6392)
      • AnyDesk (1).exe (PID: 6936)
      • AnyDesk.exe (PID: 6988)
      • AnyDesk.exe (PID: 7120)

    • Creates files in the program directory

      • AnyDesk (1).exe (PID: 6936)
      • AnyDesk.exe (PID: 6988)

    • Manual execution by a user

      • AnyDesk.exe (PID: 7120)
      • AnyDesk.exe (PID: 2468)

    • Reads the software policy settings

      • rundll32.exe (PID: 2872)
      • drvinst.exe (PID: 2224)
      • rundll32.exe (PID: 6168)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 2872)
      • rundll32.exe (PID: 6168)
      • dllhost.exe (PID: 7980)

    • Create files in a temporary directory

      • rundll32.exe (PID: 2872)

    • Drops the executable file immediately after the start

      • rundll32.exe (PID: 2872)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 2224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:22 15:09:51+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 5336064
UninitializedDataSize: 19210240
EntryPoint: 0x1ce5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 8.0.12.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 8.0.12
ProductName: AnyDesk
ProductVersion: 8
LegalCopyright: (C) 2022 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
18
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start anydesk (1).exe no specs anydesk (1).exe anydesk (1).exe no specs anydesk (1).exe anydesk.exe anydesk.exe no specs expand.exe conhost.exe no specs rundll32.exe anydesk.exe no specs drvinst.exe rundll32.exe no specs anydesk.exe no specs textinputhost.exe no specs dataexchangehost.exe no specs COpenControlPanel no specs COpenControlPanel no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1748"C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\main.cpl ,1C:\Windows\System32\rundll32.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2224DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{c5936cbe-fa51-2849-8989-09f93ad1c815}\anydeskprintdriver.inf" "9" "49a18f3d7" "00000000000001C8" "WinSta0\Default" "00000000000001DC" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
2468"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-installC:\Program Files (x86)\AnyDesk\AnyDesk.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.12
Modules
Images
c:\program files (x86)\anydesk\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\msvcrt.dll
2872"C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"C:\Windows\SysWOW64\rundll32.exe
AnyDesk (1).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6168rundll32.exe C:\WINDOWS\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3699ce90-e6b2-0c42-ba21-019d24b71038} Global\{f9460f2c-9fbf-0941-a5a7-e6ff376d5ccc} C:\WINDOWS\System32\DriverStore\Temp\{ff9755ee-b86d-244c-ab8b-4ca42c99a736}\anydeskprintdriver.inf C:\WINDOWS\System32\DriverStore\Temp\{ff9755ee-b86d-244c-ab8b-4ca42c99a736}\AnyDeskPrintDriver.catC:\Windows\System32\rundll32.exedrvinst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6392"C:\Users\admin\AppData\Local\Temp\AnyDesk (1).exe" C:\Users\admin\AppData\Local\Temp\AnyDesk (1).exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.12
Modules
Images
c:\users\admin\appdata\local\temp\anydesk (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
6472"C:\Users\admin\AppData\Local\Temp\AnyDesk (1).exe" --local-serviceC:\Users\admin\AppData\Local\Temp\AnyDesk (1).exe
AnyDesk (1).exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
1
Version:
8.0.12
Modules
Images
c:\users\admin\appdata\local\temp\anydesk (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
6480"C:\Users\admin\AppData\Local\Temp\AnyDesk (1).exe" --local-controlC:\Users\admin\AppData\Local\Temp\AnyDesk (1).exeAnyDesk (1).exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.12
Modules
Images
c:\users\admin\appdata\local\temp\anydesk (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
6904"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
6936"C:\Users\admin\AppData\Local\Temp\AnyDesk (1).exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\admin\AppData\Roaming\AnyDesk\system.conf" C:\Users\admin\AppData\Local\Temp\AnyDesk (1).exe
AnyDesk (1).exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
HIGH
Description:
AnyDesk
Exit code:
0
Version:
8.0.12
Modules
Images
c:\users\admin\appdata\local\temp\anydesk (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
Total events
33 165
Read events
33 024
Write events
136
Delete events
5

Modification events

(PID) Process:(6392) AnyDesk (1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6392) AnyDesk (1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6392) AnyDesk (1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6392) AnyDesk (1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6936) AnyDesk (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:DisplayIcon
Value:
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
(PID) Process:(6936) AnyDesk (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:DisplayName
Value:
AnyDesk
(PID) Process:(6936) AnyDesk (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:DisplayVersion
Value:
ad 8.0.12
(PID) Process:(6936) AnyDesk (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:EstimatedSize
Value:
2048
(PID) Process:(6936) AnyDesk (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:HelpLink
Value:
https://help.anydesk.com/
(PID) Process:(6936) AnyDesk (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:InstallLocation
Value:
"C:\Program Files (x86)\AnyDesk"
Executable files
17
Suspicious files
46
Text files
21
Unknown types
1

Dropped files

PID
Process
Filename
Type
6392AnyDesk (1).exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CTMI0NAC0OEJ98ZZG8BU.tempbinary
MD5:4E4BFF48DB37E726C656BD708808C045
SHA256:72E7475A1549A7840BA824D66B7AAF8AC0C792E05D71CE9B95CA5C3F57B47079
6936AnyDesk (1).exeC:\ProgramData\AnyDesk\service.conftext
MD5:BA050DC3E271F58A846B293503902B54
SHA256:59FDD14C7241E5BB6541051712755885BDC44BE6C8868E37296048EAA5CAA92C
6392AnyDesk (1).exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conftext
MD5:A787C308BD30D6D844E711D7579BE552
SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
6936AnyDesk (1).exeC:\Users\Public\Desktop\AnyDesk.lnklnk
MD5:569811D9862E7127F4D1B98A25D555C4
SHA256:37F03B17AA0617152EC17E1E276FBE2385EB303DDD99013FC3823AAE6540E606
6936AnyDesk (1).exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk\AnyDesk.lnklnk
MD5:BE583CDB539C5778D34CE1E7AAE0991A
SHA256:24E4994557931F22C1DAB4268F4B6084D1DBEFDF1CC741B7BE920D05C29A7E1E
6936AnyDesk (1).exeC:\ProgramData\AnyDesk\system.conftext
MD5:F1E5B8D472FDB984B030EC770CCCFCB3
SHA256:FD21E4A1631E51632B3FFDCD60B7EF0E93E10A36F86CD0E23641E92BF52768C2
6936AnyDesk (1).exeC:\Program Files (x86)\AnyDesk\AnyDesk.exeexecutable
MD5:C8246DC58903007CCF749A8AD70F5587
SHA256:347E7D26F98DE9AC2E998739D695028FA761C3F035DBE5890731E30E53A955B3
6936AnyDesk (1).exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk\Uninstall AnyDesk.lnklnk
MD5:DDF7DCE8B9771FA4FEA19BA9CE97655A
SHA256:281A6E9CE6D8957FF8BF5AB0B730FAEF231AC756E88F5982F8C58C5FF9621100
6936AnyDesk (1).exeC:\Users\admin\AppData\Roaming\AnyDesk\printer_driver\v4.cabcompressed
MD5:5A4F0869298454215CCCF8B3230467B3
SHA256:5214E8FF8454C715B10B448E496311B4FF18306ECF9CBB99A97EB0076304CE9A
7128expand.exeC:\Users\admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver-manifest.initext
MD5:0D7876B516B908AAB67A8E01E49C4DED
SHA256:98933DE1B6C34B4221D2DD065715418C85733C2B8CB4BD12AC71D797B78A1753
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
113
DNS requests
33
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5484
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6988
AnyDesk.exe
POST
200
18.245.86.105:80
http://api.playanext.com/httpapi
unknown
unknown
6208
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6320
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1028
SystemSettings.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1028
SystemSettings.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2536
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4088
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6472
AnyDesk (1).exe
212.102.60.76:443
boot.net.anydesk.com
Datacamp Limited
US
unknown
6472
AnyDesk (1).exe
212.102.60.76:80
boot.net.anydesk.com
Datacamp Limited
US
unknown
6472
AnyDesk (1).exe
212.102.60.76:6568
boot.net.anydesk.com
Datacamp Limited
US
unknown
6472
AnyDesk (1).exe
51.91.80.120:443
relay-1d1370e8.net.anydesk.com
OVH SAS
FR
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
boot.net.anydesk.com
  • 212.102.60.76
whitelisted
relay-1d1370e8.net.anydesk.com
  • 51.91.80.120
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
relay-8bd65c3e.net.anydesk.com
  • 162.19.139.49
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.160.22
  • 40.126.32.136
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 104.126.37.155
  • 104.126.37.161
  • 104.126.37.145
  • 104.126.37.160
  • 104.126.37.162
  • 104.126.37.146
  • 104.126.37.152
  • 104.126.37.163
  • 104.126.37.153
  • 2.23.209.169
  • 2.23.209.171
  • 2.23.209.161
  • 2.23.209.166
  • 2.23.209.162
  • 2.23.209.160
  • 2.23.209.168
  • 2.23.209.167
  • 2.23.209.173
whitelisted
api.playanext.com
  • 18.245.86.79
  • 18.245.86.84
  • 18.245.86.26
  • 18.245.86.105
whitelisted

Threats

PID
Process
Class
Message
6988
AnyDesk.exe
Potential Corporate Privacy Violation
ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnyDesk (1).exe