File name:

AnyDesk 7.0.13 + Portable.exe

Full analysis: https://app.any.run/tasks/2d597f9f-7003-4d0b-93bd-90d869c0ee82
Verdict: Malicious activity
Analysis date: January 14, 2026, 13:41:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anydesk
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

36D6BE2D72171C741E2989A578011CD8

SHA1:

A1D46B3C7418D8D29208F352E27F5C9AF62006E9

SHA256:

7C20393E638D2873153D2873F04464D4BAD32A4D40EABB48D66608650F7D4494

SSDEEP:

98304:lteJ+SmNiv4xKp0yl9WIS+7TzNY1ZpXXtfw4bIap4/sAk3G3ApFx75mF/kgZVTDz:R5cyo+y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Found AnyDesk certificate that may have been compromised

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7680)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7688)

    • ANYDESK mutex has been found

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7688)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7680)

    • Application launched itself

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)

    • ANYDESK has been found

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)

    • Executable content was dropped or overwritten

      • AnyDesk 7.0.13 + Portable.exe (PID: 7680)

  • INFO

    • The sample compiled with english language support

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7680)

    • Creates files or folders in the user directory

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)

    • Checks supported languages

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7680)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7688)

    • Process checks whether UAC notifications are on

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)

    • Reads the computer name

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7680)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7688)

    • Reads the machine GUID from the registry

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7680)
      • AnyDesk 7.0.13 + Portable.exe (PID: 7688)

    • Checks proxy server information

      • AnyDesk 7.0.13 + Portable.exe (PID: 7688)
      • slui.exe (PID: 4628)

    • Reads CPU info

      • AnyDesk 7.0.13 + Portable.exe (PID: 7588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:07:12 19:07:49+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 3824128
UninitializedDataSize: 12477440
EntryPoint: 0x1ce9
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.0.13.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 7.0.13
ProductName: AnyDesk
ProductVersion: 7
LegalCopyright: (C) 2022 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start anydesk 7.0.13 + portable.exe no specs anydesk 7.0.13 + portable.exe anydesk 7.0.13 + portable.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4628C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7588"C:\Users\admin\AppData\Local\Temp\AnyDesk 7.0.13 + Portable.exe" C:\Users\admin\AppData\Local\Temp\AnyDesk 7.0.13 + Portable.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
7.0.13
Modules
Images
c:\users\admin\appdata\local\temp\anydesk 7.0.13 + portable.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
7680"C:\Users\admin\AppData\Local\Temp\AnyDesk 7.0.13 + Portable.exe" --local-serviceC:\Users\admin\AppData\Local\Temp\AnyDesk 7.0.13 + Portable.exe
AnyDesk 7.0.13 + Portable.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
7.0.13
Modules
Images
c:\users\admin\appdata\local\temp\anydesk 7.0.13 + portable.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
7688"C:\Users\admin\AppData\Local\Temp\AnyDesk 7.0.13 + Portable.exe" --local-controlC:\Users\admin\AppData\Local\Temp\AnyDesk 7.0.13 + Portable.exeAnyDesk 7.0.13 + Portable.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
7.0.13
Modules
Images
c:\users\admin\appdata\local\temp\anydesk 7.0.13 + portable.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
Total events
4 337
Read events
4 337
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
11
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7588AnyDesk 7.0.13 + Portable.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PZIPAGV7E0P1NIQ6800J.tempbinary
MD5:14E84D8320FAE006ECC599CBDF47F8DE
SHA256:0950A6EC94C0EA899C6331FFE78D958E6BF270A914B5B2F73852A5A374772BF2
7588AnyDesk 7.0.13 + Portable.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NFTT41AISC09OYIVTTVV.tempbinary
MD5:0CFDE25F9F61A3B12F56A249F5F90C79
SHA256:54895F2CC501CB5AC0B4BDEBD00322B10518F1F8C5CB85F9428CF81F6E7702A9
7588AnyDesk 7.0.13 + Portable.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T6ZULMTWFDJQ7YTYN87O.tempbinary
MD5:FB4080AA96549166404BD6520359DB3B
SHA256:0AC0B38495A47173130904DA76C50AA73FC810AE077FEE6860BC1A9032905ADB
7588AnyDesk 7.0.13 + Portable.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RF108eb5.TMPbinary
MD5:14E84D8320FAE006ECC599CBDF47F8DE
SHA256:0950A6EC94C0EA899C6331FFE78D958E6BF270A914B5B2F73852A5A374772BF2
7680AnyDesk 7.0.13 + Portable.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conftext
MD5:979412445E04EDDDB523BBF64F2D9E25
SHA256:C253A9DB55EFEB183543BAA5965F0D279B0E4ECD7E6211E231E8E8F5C8DFE596
7588AnyDesk 7.0.13 + Portable.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFfdfd7.TMPbinary
MD5:FB4080AA96549166404BD6520359DB3B
SHA256:0AC0B38495A47173130904DA76C50AA73FC810AE077FEE6860BC1A9032905ADB
7680AnyDesk 7.0.13 + Portable.exeC:\Users\admin\AppData\Local\Temp\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
7588AnyDesk 7.0.13 + Portable.exeC:\Users\admin\AppData\Roaming\AnyDesk\ad.tracetext
MD5:84C3BA1224303220B9431F726201509A
SHA256:F9C8C3F9DA29AC0C4730372BFF14790159535D3F0160F224B7B4FF36AE16C889
7588AnyDesk 7.0.13 + Portable.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ASPKLCXPMIXMZK8FCGT1.tempbinary
MD5:0CFDE25F9F61A3B12F56A249F5F90C79
SHA256:54895F2CC501CB5AC0B4BDEBD00322B10518F1F8C5CB85F9428CF81F6E7702A9
7588AnyDesk 7.0.13 + Portable.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RF108ec5.TMPbinary
MD5:0CFDE25F9F61A3B12F56A249F5F90C79
SHA256:54895F2CC501CB5AC0B4BDEBD00322B10518F1F8C5CB85F9428CF81F6E7702A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
140
TCP/UDP connections
49
DNS requests
24
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
7108
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7108
svchost.exe
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
7108
svchost.exe
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
2600
svchost.exe
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
text
5.56 Kb
whitelisted
2600
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2600
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7108
svchost.exe
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
7108
svchost.exe
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2600
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1572
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7680
AnyDesk 7.0.13 + Portable.exe
92.223.88.41:443
boot.net.anydesk.com
GCORE
LU
whitelisted
7680
AnyDesk 7.0.13 + Portable.exe
57.128.75.90:443
relay-8b613d8b.net.anydesk.com
OVH
FR
unknown
3412
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7108
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7108
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.46
whitelisted
boot.net.anydesk.com
  • 57.129.37.28
  • 57.129.19.230
  • 185.229.190.236
  • 92.223.88.232
  • 195.181.174.167
  • 185.229.191.44
  • 185.229.191.39
  • 92.223.88.7
  • 92.223.88.41
unknown
relay-8b613d8b.net.anydesk.com
  • 57.128.75.90
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.67
  • 20.190.160.4
  • 20.190.160.3
  • 40.126.32.140
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 72.246.29.11
  • 23.59.18.102
whitelisted
www.bing.com
  • 2.16.204.134
  • 2.16.204.141
  • 2.16.204.160
  • 2.16.204.138
  • 2.16.204.161
  • 2.16.204.137
  • 2.16.204.135
  • 2.16.204.136
  • 2.16.204.139
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Domain (boot .net .anydesk .com) in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnyDesk 7.0.13 + Portable.exe