File name:	AnyDesk.exe
Full analysis:	https://app.any.run/tasks/e91e0e80-22e1-4543-8088-a5c506f8d721
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	October 28, 2024, 05:59:17
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	anydesk tool adware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	30C9C57AA570088D745FAC7BFD05B805
SHA1:	D579D18848859614E219AFA6332D410E0CA71FC3
SHA256:	8CD552392BB25546BA58E73D63C4B7C290188CA1060F96C8ABF641AE9F5A8383
SSDEEP:	98304:oOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRFB:rmZb0bEds4XFR0OiC/GTB

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:06:27 12:18:07+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	10752
InitializedDataSize:	4012032
UninitializedDataSize:	13282816
EntryPoint:	0x1ce9
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	7.1.13.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	AnyDesk Software GmbH
FileDescription:	AnyDesk
FileVersion:	7.1.13
ProductName:	AnyDesk
ProductVersion:	7.1
LegalCopyright:	(C) 2022 AnyDesk Software GmbH

PID	Process	Filename		Type
6256	AnyDesk.exe	C:\Users\admin\AppData\Roaming\AnyDesk\user.conf		text
		MD5:5059D0251F3292C45A54E0AB40CCA733	SHA256:88D22B3A6A8BCB3AB03CFAC5EEF7FDF1CF4C99E17576D05997D2F0DFC96B8189
6256	AnyDesk.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2GOB2AZ4JLSO6GYID95N.temp		binary
		MD5:3956872C83634B70F3B6EC436D7FBD3B	SHA256:FD25EF228390A170A76F81EAC471850AD4EFFA1A38A12627033151B06569D509
6256	AnyDesk.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms		binary
		MD5:3956872C83634B70F3B6EC436D7FBD3B	SHA256:FD25EF228390A170A76F81EAC471850AD4EFFA1A38A12627033151B06569D509
5516	AnyDesk.exe	C:\Users\admin\AppData\Roaming\AnyDesk\service.conf		text
		MD5:7C1902E4552A9C86EBF9628C13A6A550	SHA256:419F4A8FA375C29ABF7B1F7A5AB5B794FCF03A4A6036692B0C7EACCE0B0B73C7
5516	AnyDesk.exe	C:\Users\admin\Desktop\gcapi.dll		executable
		MD5:1CE7D5A1566C8C449D0F6772A8C27900	SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
5516	AnyDesk.exe	C:\Users\admin\AppData\Local\Temp\gcapi.dll		executable
		MD5:1CE7D5A1566C8C449D0F6772A8C27900	SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
5516	AnyDesk.exe	C:\Users\admin\AppData\Roaming\AnyDesk\system.conf		text
		MD5:0C04AD1083DC5C7C45E3EE2CD344AE38	SHA256:6452273C017DB7CBE0FFC5B109BBF3F8D3282FB91BFA3C5EABC4FB8F1FC98CB0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.216.77.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1764	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5516	AnyDesk.exe	POST	200	18.245.86.84:80	http://api.playanext.com/httpapi	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1764	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	104.126.37.168:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5516	AnyDesk.exe	57.128.101.77:443	boot.net.anydesk.com	OVH SAS	FR	whitelisted
5516	AnyDesk.exe	57.128.101.77:80	boot.net.anydesk.com	OVH SAS	FR	whitelisted
—	—	23.216.77.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6944	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
www.bing.com	104.126.37.168 104.126.37.178 104.126.37.176 104.126.37.186 104.126.37.128 104.126.37.179 104.126.37.170 104.126.37.163 104.126.37.185	whitelisted
google.com	142.250.181.238	whitelisted
boot.net.anydesk.com	57.128.101.77 37.59.29.33	whitelisted
crl.microsoft.com	23.216.77.19 23.216.77.25	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
relay-057a589d.net.anydesk.com	169.150.246.112	whitelisted
api.playanext.com	18.245.86.105 18.245.86.26 18.245.86.79 18.245.86.84	whitelisted
self.events.data.microsoft.com	20.42.65.89	whitelisted
relay-5eb344b6.net.anydesk.com	5.188.120.14	whitelisted

PID	Process	Class	Message
5516	AnyDesk.exe	Potential Corporate Privacy Violation	ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
5516	AnyDesk.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Driver Updater Setup Process

General Info

AnyDesk.exe

30C9C57AA570088D745FAC7BFD05B805

D579D18848859614E219AFA6332D410E0CA71FC3

8CD552392BB25546BA58E73D63C4B7C290188CA1060F96C8ABF641AE9F5A8383

98304:oOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRFB:rmZb0bEds4XFR0OiC/GTB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADWARE has been detected (SURICATA)

SUSPICIOUS

Found AnyDesk certificate that may have been compromised

Application launched itself

ANYDESK has been found

Connects to unusual port

Executable content was dropped or overwritten

Potential Corporate Privacy Violation

Access to an unwanted program domain was detected

INFO

Creates files or folders in the user directory

Process checks whether UAC notifications are on

Checks supported languages

The process uses the downloaded file

Reads the computer name

Reads the machine GUID from the registry

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings