File name:

AnyDesk.exe

Full analysis: https://app.any.run/tasks/770a10c2-6f36-4c18-bf8f-1a8ec0123b20
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 27, 2025, 23:03:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anydesk
rmm-tool
adware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

21CD9E74C595164A8592C040DFDDA463

SHA1:

A205CDA0E7CD0DAE337887FF6AB11FB370F59DBD

SHA256:

D81C4DC722AE3CF72E470DCE70D2F604C99461068441A65A70C5E578F5008D17

SSDEEP:

98304:+bp6GatsAYgDqNN9YsDuliP5/PcvhTmdDTLyAxbf9hayediRlGmqCQHCsog9FA+I:Qxc23ytHq/L6Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been detected (SURICATA)

      • AnyDesk.exe (PID: 3160)

  • SUSPICIOUS

    • ANYDESK mutex has been found

      • AnyDesk.exe (PID: 6376)
      • AnyDesk.exe (PID: 2192)
      • AnyDesk.exe (PID: 3160)

    • ANYDESK has been found

      • AnyDesk.exe (PID: 6376)

    • Application launched itself

      • AnyDesk.exe (PID: 6376)

    • Executable content was dropped or overwritten

      • AnyDesk.exe (PID: 3160)

    • Potential Corporate Privacy Violation

      • AnyDesk.exe (PID: 3160)

    • Access to an unwanted program domain was detected

      • AnyDesk.exe (PID: 3160)

  • INFO

    • Checks supported languages

      • AnyDesk.exe (PID: 6376)
      • AnyDesk.exe (PID: 2192)
      • AnyDesk.exe (PID: 3160)

    • The sample compiled with english language support

      • AnyDesk.exe (PID: 6376)
      • AnyDesk.exe (PID: 3160)

    • Reads the computer name

      • AnyDesk.exe (PID: 6376)
      • AnyDesk.exe (PID: 2192)
      • AnyDesk.exe (PID: 3160)

    • Creates files or folders in the user directory

      • AnyDesk.exe (PID: 6376)
      • AnyDesk.exe (PID: 3160)
      • AnyDesk.exe (PID: 2192)

    • Process checks whether UAC notifications are on

      • AnyDesk.exe (PID: 6376)

    • Reads the machine GUID from the registry

      • AnyDesk.exe (PID: 3160)

    • Reads CPU info

      • AnyDesk.exe (PID: 2192)

    • Checks proxy server information

      • AnyDesk.exe (PID: 2192)

    • Process checks computer location settings

      • AnyDesk.exe (PID: 2192)
      • AnyDesk.exe (PID: 3160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:11 09:14:54+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 7892992
UninitializedDataSize: 28889088
EntryPoint: 0x3653
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 9.5.9.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 9.5.9
ProductName: AnyDesk
ProductVersion: 9.5
LegalCopyright: (C) 2025 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start anydesk.exe no specs #ADWARE anydesk.exe anydesk.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" --local-controlC:\Users\admin\AppData\Local\Temp\AnyDesk.exeAnyDesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.5.9
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
2632C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3160"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" --local-serviceC:\Users\admin\AppData\Local\Temp\AnyDesk.exe
AnyDesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.5.9
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
6376"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" C:\Users\admin\AppData\Local\Temp\AnyDesk.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.5.9
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
Total events
1 053
Read events
1 053
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
162
Unknown types
0

Dropped files

PID
Process
Filename
Type
6376AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conf~RF18cee4.TMP
MD5:
SHA256:
6376AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF18cf03.TMP
MD5:
SHA256:
6376AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF18cf51.TMP
MD5:
SHA256:
6376AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF18cf9f.TMP
MD5:
SHA256:
6376AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF18cfce.TMP
MD5:
SHA256:
6376AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF18d4df.TMP
MD5:
SHA256:
6376AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF18d4ef.TMP
MD5:
SHA256:
3160AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conf~RF18d77f.TMP
MD5:
SHA256:
2192AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF18d7ae.TMP
MD5:
SHA256:
3160AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\service.conf~RF18d8c7.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
19
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3160
AnyDesk.exe
POST
200
52.85.65.2:80
http://api.playanext.com/httpapi
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.146:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
592
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5476
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5476
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4540
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3160
AnyDesk.exe
185.229.191.39:443
boot.net.anydesk.com
Datacamp Limited
NL
whitelisted
3160
AnyDesk.exe
208.115.231.138:443
relay-0704c0e0.net.anydesk.com
LIMESTONENETWORKS
US
whitelisted
3160
AnyDesk.exe
52.85.65.2:80
api.playanext.com
AMAZON-02
US
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.48.23.146:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
boot.net.anydesk.com
  • 92.223.88.232
  • 57.129.37.75
  • 195.181.174.167
  • 185.229.190.236
  • 185.229.191.44
  • 92.223.88.7
  • 57.129.37.28
  • 92.223.88.41
  • 57.129.19.230
  • 185.229.191.39
whitelisted
relay-0704c0e0.net.anydesk.com
  • 208.115.231.138
whitelisted
api.playanext.com
  • 52.85.65.41
  • 52.85.65.127
  • 52.85.65.56
  • 52.85.65.2
whitelisted
crl.microsoft.com
  • 23.48.23.146
  • 23.48.23.140
  • 23.48.23.143
  • 23.48.23.191
  • 23.48.23.137
  • 23.48.23.145
  • 23.48.23.158
  • 23.48.23.194
  • 23.48.23.141
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.3
  • 20.190.160.14
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Domain (boot .net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
3160
AnyDesk.exe
Potential Corporate Privacy Violation
ET REMOTE_ACCESS AnyDesk Remote Desktop Software User-Agent
3160
AnyDesk.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Driver Updater Setup Process
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnyDesk.exe