File name:

AnyDesk.exe

Full analysis: https://app.any.run/tasks/69f291e3-69af-4ce3-9253-b3754c5d3466
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 14:35:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anydesk
rmm-tool
inno
installer
delphi
silverfox
backdoor
xor-url
generic
wsftprm-sys
vuln-driver
valleyrat
winos
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

E5FA2BBB5DCFA7A98B08FD30A6E68F8B

SHA1:

45531A3ECB042CF5690F4B6DA5674086331EAF3B

SHA256:

C7C33403BF5F1C1D43CF18B4604D0152B0CD631DF147F3FDBB318D5AA7E745ED

SSDEEP:

393216:+9+fh/WgNimY9qFD5HRADrrS939ClcwDVx52v5Nsuzwo2JifINiNxB:lfh/lRGrS939Clc6V0IaX2wfIAND

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Vulnerable driver has been detected

      • FritizenES.exe (PID: 3020)

    • Connects to the CnC server

      • UniClient.exe (PID: 6676)

    • XORed URL has been found (YARA)

      • FritizenES.exe (PID: 3020)

    • SILVERFOX has been detected (SURICATA)

      • UniClient.exe (PID: 6676)

    • WINOS has been detected (YARA)

      • UniClient.exe (PID: 6676)

    • Changes Windows Defender settings

      • FritizenES.exe (PID: 3020)

    • Adds path to the Windows Defender exclusion list

      • FritizenES.exe (PID: 3020)

    • VALLEYRAT has been detected (YARA)

      • UniClient.exe (PID: 6676)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AnyDesk.exe (PID: 6988)
      • AnyDesk.exe (PID: 4120)
      • AnyDesk.tmp (PID: 920)
      • FritizenES.exe (PID: 3020)

    • Reads security settings of Internet Explorer

      • AnyDesk.tmp (PID: 5056)
      • FritizenES.exe (PID: 3020)

    • Reads the Windows owner or organization settings

      • AnyDesk.tmp (PID: 920)

    • Process drops legitimate windows executable

      • AnyDesk.tmp (PID: 920)
      • FritizenES.exe (PID: 3020)

    • The process drops C-runtime libraries

      • FritizenES.exe (PID: 3020)

    • Starts CMD.EXE for commands execution

      • FritizenES.exe (PID: 3020)

    • Reads the date of Windows installation

      • FritizenES.exe (PID: 3020)

    • Script adds exclusion path to Windows Defender

      • FritizenES.exe (PID: 3020)

    • Connects to unusual port

      • UniClient.exe (PID: 6676)

    • There is functionality for taking screenshot (YARA)

      • FritizenES.exe (PID: 3020)
      • UniClient.exe (PID: 6676)

    • Searches for installed software

      • UniClient.exe (PID: 6676)

    • Contacting a server suspected of hosting an CnC

      • UniClient.exe (PID: 6676)

    • Detected use of alternative data streams (AltDS)

      • FritizenES.exe (PID: 3020)

    • Starts POWERSHELL.EXE for commands execution

      • FritizenES.exe (PID: 3020)

  • INFO

    • Checks supported languages

      • AnyDesk.tmp (PID: 5056)
      • AnyDesk.exe (PID: 6988)
      • AnyDesk.exe (PID: 4120)
      • AnyDesk.tmp (PID: 920)
      • FritizenES.exe (PID: 3020)
      • UniClient.exe (PID: 6676)

    • Create files in a temporary directory

      • AnyDesk.exe (PID: 6988)
      • AnyDesk.exe (PID: 4120)
      • AnyDesk.tmp (PID: 920)
      • FritizenES.exe (PID: 3020)

    • Reads the computer name

      • AnyDesk.tmp (PID: 5056)
      • AnyDesk.exe (PID: 4120)
      • AnyDesk.tmp (PID: 920)
      • FritizenES.exe (PID: 3020)
      • UniClient.exe (PID: 6676)

    • Process checks computer location settings

      • AnyDesk.tmp (PID: 5056)
      • FritizenES.exe (PID: 3020)

    • The sample compiled with english language support

      • AnyDesk.tmp (PID: 920)
      • FritizenES.exe (PID: 3020)

    • Creates files or folders in the user directory

      • AnyDesk.tmp (PID: 920)

    • Compiled with Borland Delphi (YARA)

      • AnyDesk.exe (PID: 6988)

    • Detects InnoSetup installer (YARA)

      • AnyDesk.exe (PID: 6988)

    • Creates files in the program directory

      • FritizenES.exe (PID: 3020)

    • The sample compiled with chinese language support

      • FritizenES.exe (PID: 3020)
      • AnyDesk.tmp (PID: 920)

    • Reads Environment values

      • UniClient.exe (PID: 6676)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4272)

    • Reads product name

      • UniClient.exe (PID: 6676)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4272)

    • Reads the software policy settings

      • slui.exe (PID: 1628)

    • Checks proxy server information

      • slui.exe (PID: 1628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(3020) FritizenES.exe
Decrypted-URLs (31)http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://ocsp.digicert.com0X
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://www.digicert.com/CPS0
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://www.microsoft.com/pkiops/Docs/Repository.htm0
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crt0
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
https://www.microsoft.com/en-us/windows
Decrypted-URLs (9)http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: JKGJG23JK5GJGJG6J2H3HJ46HJK4236ASFASFASasfasfasehshsehsehasg
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: JKGJG23JK5GJGJG6J2H3HJ46HJK4236ASFASFASasfasfasehshsehsehasg
ProductVersion: 5.61.7.231
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
11
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start anydesk.exe anydesk.tmp no specs anydesk.exe anydesk.tmp #XOR-URL fritizenes.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs #SILVERFOX uniclient.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
920"C:\Users\admin\AppData\Local\Temp\is-6UGES.tmp\AnyDesk.tmp" /SL5="$402E6,67817908,845824,C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" /SPAWNWND=$40288 /NOTIFYWND=$9030C C:\Users\admin\AppData\Local\Temp\is-6UGES.tmp\AnyDesk.tmp
AnyDesk.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-6uges.tmp\anydesk.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
1628C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3020"C:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\FritizenES.exe"C:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\FritizenES.exe
AnyDesk.tmp
User:
admin
Company:
Cfx.re
Integrity Level:
HIGH
Description:
RedM
Exit code:
0
Version:
2.0.0.6775
Modules
Images
c:\users\admin\appdata\roaming\hj4g23j6g34j2hkg6hjk34gkhj463gjk2346346fhj234f6f2h34hg6fhjasggasgasgafwgawggawawgawgjtdfftjawgawgawgawg\fritizenes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
xor-url
(PID) Process(3020) FritizenES.exe
Decrypted-URLs (31)http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0
http://ocsp.digicert.com0A
http://ocsp.digicert.com0C
http://ocsp.digicert.com0X
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
http://www.digicert.com/CPS0
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://www.microsoft.com/pkiops/Docs/Repository.htm0
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crt0
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
https://www.microsoft.com/en-us/windows
(PID) Process(3020) FritizenES.exe
Decrypted-URLs (9)http://crl.globalsign.com/gs/gscodesigng2.crl0
http://crl.globalsign.com/gs/gstimestampingg2.crl0T
http://crl.globalsign.net/root.crl0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://ocsp2.globalsign.com/gscodesigng20
http://secure.globalsign.com/cacert/gscodesigng2.crt04
http://secure.globalsign.com/cacert/gstimestampingg2.crt0
https://www.globalsign.com/repository/0
https://www.globalsign.com/repository/03
4120"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" /SPAWNWND=$40288 /NOTIFYWND=$9030C C:\Users\admin\AppData\Local\Temp\AnyDesk.exe
AnyDesk.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
JKGJG23JK5GJGJG6J2H3HJ46HJK4236ASFASFASasfasfasehshsehsehasg
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
4272powershell.exe -Command "Add-MpPreference -ExclusionPath "C:\ProgramData\qacKUW9N""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFritizenES.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4408"C:\Windows\System32\cmd.exe" /c C:\ProgramData\qacKUW9N\UniClient.exeC:\Windows\System32\cmd.exeFritizenES.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5056"C:\Users\admin\AppData\Local\Temp\is-ISOPM.tmp\AnyDesk.tmp" /SL5="$9030C,67817908,845824,C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" C:\Users\admin\AppData\Local\Temp\is-ISOPM.tmp\AnyDesk.tmpAnyDesk.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-isopm.tmp\anydesk.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
5384\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6676C:\ProgramData\qacKUW9N\UniClient.exeC:\ProgramData\qacKUW9N\UniClient.exe
cmd.exe
User:
admin
Company:
上海市数字证书认证中心有限公司
Integrity Level:
HIGH
Description:
协卡助手
Version:
3.6.9.2
Modules
Images
c:\programdata\qackuw9n\uniclient.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
7 361
Read events
7 360
Write events
1
Delete events
0

Modification events

(PID) Process:(3020) FritizenES.exeKey:HKEY_CURRENT_USER\SOFTWARE\CitizenFX\RedM
Operation:writeName:Last Run Location
Value:
C:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\
Executable files
35
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
920AnyDesk.tmpC:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\is-RPIES.tmp
MD5:
SHA256:
920AnyDesk.tmpC:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\Repository.xml
MD5:
SHA256:
920AnyDesk.tmpC:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\FritizenES.exeexecutable
MD5:2B5EACE4A573E8347A39A1B304233994
SHA256:4B9D1A571FBADB05E2631C38C250F913862B7B5AD1D29A1CF095E0F81CAE810F
920AnyDesk.tmpC:\Users\admin\AppData\Local\Temp\is-AN0E1.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
920AnyDesk.tmpC:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\README.mdbinary
MD5:BB54B78B2CA7B17CF470E7A80B55EEAE
SHA256:84FB001C629ECF6B611CF6428487D28C7A254D83EABA4E1DD2A54AE0ADCB5D39
920AnyDesk.tmpC:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\is-PL5N8.tmpbinary
MD5:BB54B78B2CA7B17CF470E7A80B55EEAE
SHA256:84FB001C629ECF6B611CF6428487D28C7A254D83EABA4E1DD2A54AE0ADCB5D39
920AnyDesk.tmpC:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\libdefr.datbinary
MD5:322C3C8CA806B82DA5E7638025264972
SHA256:FADB07B5A1CC45E12A7302936DE07C3DF1521709DD7BF7C31F77B9BDE2004478
4120AnyDesk.exeC:\Users\admin\AppData\Local\Temp\is-6UGES.tmp\AnyDesk.tmpexecutable
MD5:556AEC12CF43FB4FE9D97FA56E4499FA
SHA256:CC3AC8A137F75AF42B0260709610276990857A965CAA71C14C093141652A5A98
920AnyDesk.tmpC:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\is-LQG7M.tmpexecutable
MD5:375458B10E0675AF170867C24F8919A6
SHA256:D491CBA96D705DC81D5FDF190D83C1B7409337E12C81A611339B5A0276B14528
920AnyDesk.tmpC:\Users\admin\AppData\Roaming\HJ4G23J6G34J2HKG6HJK34GKHJ463GJK2346346FHJ234F6F2H34HG6FHJASGGASGASGafwgawggawawgawgjtdfftjawgawgawgawg\is-HBA1C.tmpexecutable
MD5:2B5EACE4A573E8347A39A1B304233994
SHA256:4B9D1A571FBADB05E2631C38C250F913862B7B5AD1D29A1CF095E0F81CAE810F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
17
DNS requests
11
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
960
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
960
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6676
UniClient.exe
47.83.194.149:27965
SPRINTLINK
US
malicious
960
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.72
  • 40.126.32.76
  • 20.190.160.5
  • 20.190.160.4
  • 20.190.160.64
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted

Threats

PID
Process
Class
Message
6676
UniClient.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message
6676
UniClient.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
6676
UniClient.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
6676
UniClient.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
6676
UniClient.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
6676
UniClient.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
6676
UniClient.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message
6676
UniClient.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
6676
UniClient.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
6676
UniClient.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnyDesk.exe