File name:

anydesk-8-0-8.exe

Full analysis: https://app.any.run/tasks/c52df9e9-5bb2-4978-b63f-7a3d571ccb7d
Verdict: Malicious activity
Analysis date: February 06, 2024, 11:53:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A21768190F3B9FEAE33AAEF660CB7A83

SHA1:

24780657328783EF50AE0964B23288E68841A421

SHA256:

55E4CE3FE726043070ECD7DE5A74B2459EA8BED19EF2A36CE7884B2AB0863047

SSDEEP:

98304:77G2MoEslkjwWvZNy87N6IWwZ/wszMRAx8SvePTqWeYaPPYZOkL67enf5Lglp4mK:xaPWzKc818XE58BZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • anydesk-8-0-8.exe (PID: 5756)
      • anydesk-8-0-8.exe (PID: 6216)

  • SUSPICIOUS

    • Application launched itself

      • anydesk-8-0-8.exe (PID: 5756)

    • Executable content was dropped or overwritten

      • anydesk-8-0-8.exe (PID: 6216)

    • Connects to unusual port

      • anydesk-8-0-8.exe (PID: 6216)

  • INFO

    • Creates files or folders in the user directory

      • anydesk-8-0-8.exe (PID: 5756)

    • Checks supported languages

      • anydesk-8-0-8.exe (PID: 6168)
      • anydesk-8-0-8.exe (PID: 5756)
      • anydesk-8-0-8.exe (PID: 6216)

    • Reads the computer name

      • anydesk-8-0-8.exe (PID: 5756)
      • anydesk-8-0-8.exe (PID: 6216)
      • anydesk-8-0-8.exe (PID: 6168)

    • Process checks whether UAC notifications are on

      • anydesk-8-0-8.exe (PID: 5756)

    • Reads the machine GUID from the registry

      • anydesk-8-0-8.exe (PID: 6216)

    • Checks proxy server information

      • anydesk-8-0-8.exe (PID: 6168)

    • Reads CPU info

      • anydesk-8-0-8.exe (PID: 5756)

    • Process checks computer location settings

      • anydesk-8-0-8.exe (PID: 6216)
      • anydesk-8-0-8.exe (PID: 6168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:27 19:04:37+01:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 5185024
UninitializedDataSize: 19132416
EntryPoint: 0x3653
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 8.0.8.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 8.0.8
ProductName: AnyDesk
ProductVersion: 8
LegalCopyright: (C) 2022 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start anydesk-8-0-8.exe no specs anydesk-8-0-8.exe anydesk-8-0-8.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5756"C:\Users\admin\Desktop\anydesk-8-0-8.exe" C:\Users\admin\Desktop\anydesk-8-0-8.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.8
Modules
Images
c:\users\admin\desktop\anydesk-8-0-8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
6168"C:\Users\admin\Desktop\anydesk-8-0-8.exe" --local-controlC:\Users\admin\Desktop\anydesk-8-0-8.exeanydesk-8-0-8.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.8
Modules
Images
c:\users\admin\desktop\anydesk-8-0-8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
6216"C:\Users\admin\Desktop\anydesk-8-0-8.exe" --local-serviceC:\Users\admin\Desktop\anydesk-8-0-8.exe
anydesk-8-0-8.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.8
Modules
Images
c:\users\admin\desktop\anydesk-8-0-8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
Total events
503
Read events
503
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5756anydesk-8-0-8.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conftext
MD5:A787C308BD30D6D844E711D7579BE552
SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
5756anydesk-8-0-8.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6VMGZ9D90TZ1KLIDZ4LI.tempbinary
MD5:E50BE6ECC497EE8C6D489591549C898B
SHA256:09808B3103DD6E2FBB77E073FDC28C5654FA024C3B43B3B13F725D756290D4F7
6216anydesk-8-0-8.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conftext
MD5:0C04AD1083DC5C7C45E3EE2CD344AE38
SHA256:6452273C017DB7CBE0FFC5B109BBF3F8D3282FB91BFA3C5EABC4FB8F1FC98CB0
6216anydesk-8-0-8.exeC:\Users\admin\Desktop\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
5756anydesk-8-0-8.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-msbinary
MD5:E50BE6ECC497EE8C6D489591549C898B
SHA256:09808B3103DD6E2FBB77E073FDC28C5654FA024C3B43B3B13F725D756290D4F7
6216anydesk-8-0-8.exeC:\Users\admin\AppData\Roaming\AnyDesk\service.conftext
MD5:B6E17FEECCC85FC53446B5668C61354E
SHA256:0D21FDB2DF6EB6B64717B157A0364E4F39C2E50FA417DDECDBF02250AC712846
6216anydesk-8-0-8.exeC:\Users\admin\AppData\Local\Temp\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
26
DNS requests
18
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6492
msedge.exe
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/111.0.1661.62?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfull=0&scpguard=0&scpfre=0&scpver=0&osarch=x86_64&osver=10.0.19044&wu=1&devicefamily=desktop&uma=0&sessionid=13&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245
US
binary
81.5 Kb
unknown
1612
svchost.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
unknown
6492
msedge.exe
GET
302
184.30.21.171:443
https://go.microsoft.com/fwlink/?linkid=2133855&bucket=15
US
unknown
6492
msedge.exe
POST
200
13.107.22.239:443
https://edge.microsoft.com/componentupdater/api/v1/update?cup2key=6:1ixv9sdCu7nl8fG7NBvWPtX_mqEpSwbeJRdIB5mTjOQ&cup2hreq=21131582e3b7bd38a5b9f3f9f8958e28d56bf7e6395e24d7ac14fc0a8be175fe
US
text
14.3 Kb
unknown
6492
msedge.exe
GET
200
204.79.197.239:443
https://edge.microsoft.com/neededge/v1?bucket=15
US
xml
741 Kb
unknown
784
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707508716&P2=404&P3=2&P4=Bbviri1bEwmcxrhKIGK%2bnzMvamD2PrceCQ%2fhKHnlzHUX7TC0NK9nu16C%2fohv30h0nivUnmA6Ic7FVBjy2zi9nQ%3d%3d
DE
binary
1.09 Kb
unknown
784
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707508716&P2=404&P3=2&P4=Bbviri1bEwmcxrhKIGK%2bnzMvamD2PrceCQ%2fhKHnlzHUX7TC0NK9nu16C%2fohv30h0nivUnmA6Ic7FVBjy2zi9nQ%3d%3d
DE
binary
1.59 Kb
unknown
784
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707508716&P2=404&P3=2&P4=Bbviri1bEwmcxrhKIGK%2bnzMvamD2PrceCQ%2fhKHnlzHUX7TC0NK9nu16C%2fohv30h0nivUnmA6Ic7FVBjy2zi9nQ%3d%3d
DE
binary
2.09 Kb
unknown
784
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707508716&P2=404&P3=2&P4=Bbviri1bEwmcxrhKIGK%2bnzMvamD2PrceCQ%2fhKHnlzHUX7TC0NK9nu16C%2fohv30h0nivUnmA6Ic7FVBjy2zi9nQ%3d%3d
DE
binary
9.49 Kb
unknown
784
svchost.exe
GET
206
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707508716&P2=404&P3=2&P4=Bbviri1bEwmcxrhKIGK%2bnzMvamD2PrceCQ%2fhKHnlzHUX7TC0NK9nu16C%2fohv30h0nivUnmA6Ic7FVBjy2zi9nQ%3d%3d
DE
binary
3.73 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1612
svchost.exe
72.246.169.155:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1612
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6216
anydesk-8-0-8.exe
49.12.130.237:443
boot.net.anydesk.com
Hetzner Online GmbH
DE
unknown
6216
anydesk-8-0-8.exe
49.12.130.237:80
boot.net.anydesk.com
Hetzner Online GmbH
DE
unknown
6216
anydesk-8-0-8.exe
49.12.130.237:6568
boot.net.anydesk.com
Hetzner Online GmbH
DE
unknown
5612
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4188
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6492
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6492
msedge.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
unknown
3720
svchost.exe
239.255.255.250:1900
unknown

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 72.246.169.155
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
boot.net.anydesk.com
  • 49.12.130.237
  • 92.223.88.232
unknown
go.microsoft.com
  • 23.213.166.81
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com
  • 23.48.23.7
  • 23.48.23.66
  • 152.199.19.161
  • 87.248.205.0
whitelisted
relay-0135ac48.net.anydesk.com
  • 57.128.141.165
unknown
api.playanext.com
  • 3.162.38.60
  • 3.162.38.61
  • 3.162.38.49
  • 3.162.38.85
whitelisted
self.events.data.microsoft.com
  • 52.168.112.66
whitelisted

Threats

PID
Process
Class
Message
6216
anydesk-8-0-8.exe
Misc activity
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
6216
anydesk-8-0-8.exe
Potential Corporate Privacy Violation
ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
anydesk-8-0-8.exe