File name:

Setup.exe

Full analysis: https://app.any.run/tasks/4f46676f-031a-4cbc-8754-0ae81b4c2893
Verdict: Malicious activity
Analysis date: July 26, 2025, 08:40:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anydesk
rmm-tool
auto-startup
arch-exec
arch-scr
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

C936CC3AC43A1769E7AADD4B003B2D47

SHA1:

117713DD968BE219B70BB73ED0EA8D9C4CF4A3DF

SHA256:

B9D164B2A6F9524F01EE02A73869C12DD922FC6A5210AADB2F64E0D24E43CE33

SSDEEP:

98304:yC3CpAZJebngUnAGFJ+90pB1/B91QEZjai4+KPYfJ8/r35RPV0VBptmsoFqetcF7:Pb7yBm6aqBy2EabxUyVLkgGS5lA/P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • AnyDesk.exe (PID: 2972)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7044)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • Setup.exe (PID: 6788)
      • Setup.exe (PID: 4232)

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 6788)
      • Setup.exe (PID: 4232)
      • Setup.exe (PID: 1180)
      • AnyDesk.exe (PID: 2972)

    • Process drops python dynamic module

      • Setup.exe (PID: 6788)
      • Setup.exe (PID: 4232)

    • Process drops legitimate windows executable

      • Setup.exe (PID: 6788)
      • Setup.exe (PID: 4232)

    • Application launched itself

      • Setup.exe (PID: 6788)
      • Setup.exe (PID: 4232)
      • Setup.exe (PID: 6128)
      • AnyDesk.exe (PID: 2972)
      • cmd.exe (PID: 1576)
      • cmd.exe (PID: 3460)

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 6128)

    • Reads the date of Windows installation

      • Setup.exe (PID: 6128)

    • ANYDESK mutex has been found

      • AnyDesk.exe (PID: 7164)
      • AnyDesk.exe (PID: 2972)
      • AnyDesk.exe (PID: 2140)
      • AnyDesk.exe (PID: 1496)
      • AnyDesk.exe (PID: 6956)
      • AnyDesk.exe (PID: 6656)
      • AnyDesk.exe (PID: 4540)
      • AnyDesk.exe (PID: 2076)
      • AnyDesk.exe (PID: 5600)

    • Creates file in the systems drive root

      • AnyDesk.exe (PID: 2972)

    • ANYDESK has been found

      • AnyDesk.exe (PID: 2972)
      • cmd.exe (PID: 1576)
      • AnyDesk.exe (PID: 1496)
      • AnyDesk.exe (PID: 6956)
      • AnyDesk.exe (PID: 2972)
      • cmd.exe (PID: 6756)
      • AnyDesk.exe (PID: 4540)
      • cmd.exe (PID: 3460)
      • AnyDesk.exe (PID: 6656)
      • AnyDesk.exe (PID: 5600)

    • Starts CMD.EXE for commands execution

      • Setup.exe (PID: 1180)
      • cmd.exe (PID: 1576)
      • cmd.exe (PID: 3460)

    • Executing commands from a ".bat" file

      • Setup.exe (PID: 1180)

    • The executable file from the user directory is run by the CMD process

      • AnyDesk.exe (PID: 2972)

    • Creates a software uninstall entry

      • AnyDesk.exe (PID: 2972)
      • AnyDesk.exe (PID: 6956)

    • Executes as Windows Service

      • AnyDesk.exe (PID: 6956)

    • Searches for installed software

      • AnyDesk.exe (PID: 1496)
      • AnyDesk.exe (PID: 6656)
      • AnyDesk.exe (PID: 6956)
      • AnyDesk.exe (PID: 4540)
      • AnyDesk.exe (PID: 5600)

  • INFO

    • Checks supported languages

      • Setup.exe (PID: 6788)
      • Setup.exe (PID: 6128)
      • Setup.exe (PID: 1180)
      • Setup.exe (PID: 4232)
      • AnyDesk.exe (PID: 7164)
      • AnyDesk.exe (PID: 2140)
      • AnyDesk.exe (PID: 2972)
      • AnyDesk.exe (PID: 6956)
      • AnyDesk.exe (PID: 6656)
      • AnyDesk.exe (PID: 1496)
      • AnyDesk.exe (PID: 4540)
      • AnyDesk.exe (PID: 2076)
      • AnyDesk.exe (PID: 5600)

    • Create files in a temporary directory

      • Setup.exe (PID: 6788)
      • Setup.exe (PID: 4232)
      • Setup.exe (PID: 1180)

    • The sample compiled with english language support

      • Setup.exe (PID: 6788)
      • Setup.exe (PID: 4232)
      • Setup.exe (PID: 1180)
      • AnyDesk.exe (PID: 2972)

    • Reads the computer name

      • Setup.exe (PID: 6788)
      • Setup.exe (PID: 6128)
      • Setup.exe (PID: 1180)
      • Setup.exe (PID: 4232)
      • AnyDesk.exe (PID: 2972)
      • AnyDesk.exe (PID: 2140)
      • AnyDesk.exe (PID: 7164)
      • AnyDesk.exe (PID: 6656)
      • AnyDesk.exe (PID: 1496)
      • AnyDesk.exe (PID: 6956)
      • AnyDesk.exe (PID: 4540)
      • AnyDesk.exe (PID: 2076)
      • AnyDesk.exe (PID: 5600)

    • Process checks computer location settings

      • Setup.exe (PID: 6128)

    • Creates files or folders in the user directory

      • AnyDesk.exe (PID: 2972)

    • Reads the machine GUID from the registry

      • AnyDesk.exe (PID: 2140)
      • AnyDesk.exe (PID: 6956)
      • AnyDesk.exe (PID: 6656)

    • Checks proxy server information

      • AnyDesk.exe (PID: 7164)
      • AnyDesk.exe (PID: 1496)
      • slui.exe (PID: 6656)

    • Creates files in the program directory

      • AnyDesk.exe (PID: 2972)
      • AnyDesk.exe (PID: 6956)

    • Launching a file from the Startup directory

      • AnyDesk.exe (PID: 2972)

    • Manual execution by a user

      • AnyDesk.exe (PID: 1496)
      • cmd.exe (PID: 3460)
      • powershell.exe (PID: 7044)
      • AnyDesk.exe (PID: 5600)

    • Reads CPU info

      • AnyDesk.exe (PID: 5600)

    • Reads the software policy settings

      • slui.exe (PID: 6656)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:26 08:34:39+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 157184
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
23
Malicious processes
7
Suspicious processes
5

Behavior graph

Click at the process to see the details
start setup.exe setup.exe no specs setup.exe setup.exe cmd.exe no specs conhost.exe no specs anydesk.exe anydesk.exe anydesk.exe no specs anydesk.exe anydesk.exe no specs cmd.exe no specs anydesk.exe no specs cmd.exe no specs anydesk.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs anydesk.exe no specs anydesk.exe no specs powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1180"C:\Users\admin\Desktop\Setup.exe" "C:\Users\admin\Desktop\Setup.exe"C:\Users\admin\Desktop\Setup.exe
Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1496"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --controlC:\Program Files (x86)\AnyDesk\AnyDesk.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
8.0.8
Modules
Images
c:\program files (x86)\anydesk\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
1576C:\WINDOWS\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmpnnq9w60i\installer.batC:\Windows\System32\cmd.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
255
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
2076"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --set-password _unattended_accessC:\Program Files (x86)\AnyDesk\AnyDesk.execmd.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
8.0.8
Modules
Images
c:\program files (x86)\anydesk\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\msvcrt.dll
2140"C:\Users\admin\AppData\Local\Temp\tmpnnq9w60i\AnyDesk.exe" --local-serviceC:\Users\admin\AppData\Local\Temp\tmpnnq9w60i\AnyDesk.exe
AnyDesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
HIGH
Description:
AnyDesk
Exit code:
9099
Version:
8.0.8
Modules
Images
c:\users\admin\appdata\local\temp\tmpnnq9w60i\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
2972AnyDesk.exe --install "C:\Program Files (x86)\AnyDesk" --start-with-win --remove-first --update-disabled --silentC:\Users\admin\AppData\Local\Temp\tmpnnq9w60i\AnyDesk.exe
cmd.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
HIGH
Description:
AnyDesk
Exit code:
0
Version:
8.0.8
Modules
Images
c:\users\admin\appdata\local\temp\tmpnnq9w60i\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
3460C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\installer.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4232"C:\Users\admin\Desktop\Setup.exe" "C:\Users\admin\Desktop\Setup.exe"C:\Users\admin\Desktop\Setup.exe
Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4540"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --get-idC:\Program Files (x86)\AnyDesk\AnyDesk.execmd.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
HIGH
Description:
AnyDesk
Exit code:
0
Version:
8.0.8
Modules
Images
c:\program files (x86)\anydesk\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
4544C:\WINDOWS\system32\cmd.exe /S /D /c" echo LOCREMOTEPC "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 131
Read events
10 108
Write events
23
Delete events
0

Modification events

(PID) Process:(2972) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:DisplayIcon
Value:
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
(PID) Process:(2972) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:DisplayName
Value:
AnyDesk
(PID) Process:(2972) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:DisplayVersion
Value:
ad 8.0.8
(PID) Process:(2972) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:EstimatedSize
Value:
2048
(PID) Process:(2972) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:HelpLink
Value:
https://help.anydesk.com/
(PID) Process:(2972) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:InstallLocation
Value:
"C:\Program Files (x86)\AnyDesk"
(PID) Process:(2972) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:Publisher
Value:
AnyDesk Software GmbH
(PID) Process:(2972) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --uninstall
(PID) Process:(2972) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:VersionMajor
Value:
8
(PID) Process:(2972) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:VersionMinor
Value:
0
Executable files
44
Suspicious files
11
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
6788Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI67882\_overlapped.pydexecutable
MD5:55D570234A19D5A3E7F4D9D845A4223E
SHA256:E35B160BC6EF019593CFB7383D04E10D6F5FE1B9D464E32D46E760BEE0943308
6788Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI67882\base_library.zipcompressed
MD5:72C405A81551C424D7BE87A77D1716A7
SHA256:082A86A2FB3FA3B194BA50AB0FCDCD0C222626F7EA1955C720DD6AF4069E93F1
6788Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI67882\_ctypes.pydexecutable
MD5:DE0B4AA088EE89BB15F8EB5C9DD20987
SHA256:E0B6B4CFCC59BBB8F84F31F337C74774C895EAC4CF47AD36474022A0C6D2B049
6788Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI67882\charset_normalizer\md__mypyc.cp313-win_amd64.pydexecutable
MD5:342BFE1BDE70E267CC3CBF96F3ADCD6F
SHA256:BCC4FE2B0C1D0F3239E9C0A8FC46984D4A869F410898F1BC4EA8662D66418280
6788Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI67882\_multiprocessing.pydexecutable
MD5:181CBC250909CBC7CBB9A36DDE570F69
SHA256:B51F8808C182CC21DD1C7DCB74B9F31D9602EDAC096BC8C79A99BA412D89D045
6788Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI67882\_socket.pydexecutable
MD5:6A096C81110F6CFF6C04F34995F19B2C
SHA256:CD658E448DA0C7986B3FDD12E8EC8A8313A6330723188A7E1D9EA378C4228873
6788Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI67882\_ssl.pydexecutable
MD5:689368FE253E7BD465D35C8B4016AD75
SHA256:7104EBB48FA102E25484AA914BE09853940A50FFC025013C2803163741F38C0B
6788Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI67882\charset_normalizer\md.cp313-win_amd64.pydexecutable
MD5:36D639AA2E4878640057CEB621D1E45D
SHA256:CC7DD4678FA9AF8F5B6B9EE011D10645976AAD5B28816139EE22C84387D3CCF9
6788Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI67882\libcrypto-3.dllexecutable
MD5:D33016892C48FFBADE336836F1A57B9A
SHA256:797EE449E5415310BD1F0A050E9BADD00A1BE60629DCC24EE3D0825793043EED
6788Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI67882\libffi-8.dllexecutable
MD5:FB18EE22749696CF9EDE99F211544E75
SHA256:8EDBA78618E85B8FA8D7CE767B4BFD0CA17C3C57DD233B4FF516FF6BF2BA17CF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
62
DNS requests
12
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
boot.net.anydesk.com
  • 185.229.191.39
  • 57.129.19.230
  • 57.129.37.75
  • 185.229.190.236
  • 57.129.37.28
  • 92.223.88.7
  • 92.223.88.232
  • 92.223.88.41
  • 195.181.174.167
  • 185.229.191.44
whitelisted
relay-58b7ae25.net.anydesk.com
  • 138.199.27.228
whitelisted
relay-0aa15db9.net.anydesk.com
  • 51.89.98.178
whitelisted
relay-c9990d24.net.anydesk.com
  • 208.115.231.190
whitelisted
self.events.data.microsoft.com
  • 52.168.117.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Domain (boot .net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe