Malware analysis AnyDesk.exe Malicious activity | ANY.RUN

Add for printing

File name:	AnyDesk.exe
Full analysis:	https://app.any.run/tasks/7f3e5a19-ce05-4b7f-b1d6-d2c66ce426b4
Verdict:	Malicious activity
Analysis date:	January 26, 2024, 00:33:29
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	75EECC3A8B215C465F541643E9C4F484
SHA1:	3AD1F800B63640128BFDCC8DBEE909554465EE11
SHA256:	EC33D8EE9C3881B8FCEA18F9F862D5926D994553AEC1B65081D925AFD3E8B028
SSDEEP:	98304:xEhZCn2N8X+7A2qiwQPq5jGbmUX4j98EjlWipPUQAD0hrKKnpdZYki3qe3Bv9PRi:uPqKJ1K/rSOr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - AnyDesk.exe (PID: 1036)
  - AnyDesk.exe (PID: 452)
  - AnyDesk.exe (PID: 2820)
  - AnyDesk.exe (PID: 1408)
- Create files in the Startup directory
  - AnyDesk.exe (PID: 2820)
  - regsvr32.exe (PID: 4012)
- Creates a writable file in the system directory
  - AnyDesk.exe (PID: 1348)
- Steals credentials from Web Browsers
  - taskhost.exe (PID: 980)
  - setup.exe (PID: 1696)
- Antivirus name has been found in the command line (generic signature)
  - unregmp2.exe (PID: 2980)
- Changes the autorun value in the registry
  - unregmp2.exe (PID: 2980)
  - regsvr32.exe (PID: 4012)
SUSPICIOUS
- Application launched itself
  - AnyDesk.exe (PID: 1036)
  - AnyDesk.exe (PID: 452)
  - AnyDesk.exe (PID: 3432)
  - AnyDesk.exe (PID: 1408)
  - ie4uinit.exe (PID: 3436)
  - AnyDesk.exe (PID: 1348)
  - rundll32.exe (PID: 948)
  - setup.exe (PID: 1696)
- Reads the Internet Settings
  - AnyDesk.exe (PID: 2712)
  - AnyDesk.exe (PID: 1036)
  - AnyDesk.exe (PID: 3360)
  - ie4uinit.exe (PID: 3436)
  - ie4uinit.exe (PID: 2496)
  - taskhost.exe (PID: 980)
  - rundll32.exe (PID: 948)
  - rundll32.exe (PID: 3640)
  - ie4uinit.exe (PID: 2812)
- Connects to unusual port
  - AnyDesk.exe (PID: 452)
  - AnyDesk.exe (PID: 1408)
- Executable content was dropped or overwritten
  - AnyDesk.exe (PID: 452)
  - AnyDesk.exe (PID: 2820)
  - AnyDesk.exe (PID: 1408)
- Executes as Windows Service
  - AnyDesk.exe (PID: 1408)
  - EOSNotify.exe (PID: 3776)
  - taskhost.exe (PID: 980)
  - EOSNotify.exe (PID: 908)
- Searches for installed software
  - AnyDesk.exe (PID: 1408)
  - AnyDesk.exe (PID: 3432)
  - AnyDesk.exe (PID: 3380)
  - AnyDesk.exe (PID: 3360)
  - AnyDesk.exe (PID: 3852)
  - AnyDesk.exe (PID: 120)
  - AnyDesk.exe (PID: 1348)
  - AnyDesk.exe (PID: 4080)
  - AnyDesk.exe (PID: 1388)
  - AnyDesk.exe (PID: 992)
- Creates a software uninstall entry
  - AnyDesk.exe (PID: 1408)
- The process executes via Task Scheduler
  - sipnotify.exe (PID: 548)
- Reads Internet Explorer settings
  - ie4uinit.exe (PID: 3436)
- Changes internet zones settings
  - ie4uinit.exe (PID: 3436)
- Reads Microsoft Outlook installation path
  - ie4uinit.exe (PID: 3436)
- Changes default file association
  - unregmp2.exe (PID: 2980)
- Uses RUNDLL32.EXE to load library
  - ie4uinit.exe (PID: 3436)
  - rundll32.exe (PID: 948)
- Write to the desktop.ini file (may be used to cloak folders)
  - ie4uinit.exe (PID: 3436)
  - unregmp2.exe (PID: 2980)
  - regsvr32.exe (PID: 4012)
- Reads settings of System Certificates
  - sipnotify.exe (PID: 548)
INFO
- Creates files or folders in the user directory
  - AnyDesk.exe (PID: 1036)
  - AnyDesk.exe (PID: 452)
- Checks supported languages
  - AnyDesk.exe (PID: 1036)
  - AnyDesk.exe (PID: 2712)
  - AnyDesk.exe (PID: 452)
  - AnyDesk.exe (PID: 2292)
  - AnyDesk.exe (PID: 1408)
  - AnyDesk.exe (PID: 2820)
  - AnyDesk.exe (PID: 3380)
  - AnyDesk.exe (PID: 3360)
  - AnyDesk.exe (PID: 3432)
  - AnyDesk.exe (PID: 3852)
  - AnyDesk.exe (PID: 120)
  - AnyDesk.exe (PID: 4080)
  - AnyDesk.exe (PID: 1348)
  - AnyDesk.exe (PID: 1388)
  - setup.exe (PID: 1696)
  - setup.exe (PID: 2860)
  - IMEKLMG.EXE (PID: 1560)
  - IMKRMIG.EXE (PID: 2384)
  - AnyDesk.exe (PID: 992)
  - setup.exe (PID: 3808)
  - IMEKLMG.EXE (PID: 3596)
  - wmpnscfg.exe (PID: 1624)
  - wmpnscfg.exe (PID: 3712)
- Process checks whether UAC notifications are on
  - AnyDesk.exe (PID: 1036)
  - IMEKLMG.EXE (PID: 3596)
  - IMEKLMG.EXE (PID: 1560)
- Reads the computer name
  - AnyDesk.exe (PID: 1036)
  - AnyDesk.exe (PID: 452)
  - AnyDesk.exe (PID: 2712)
  - AnyDesk.exe (PID: 2292)
  - AnyDesk.exe (PID: 2820)
  - AnyDesk.exe (PID: 1408)
  - AnyDesk.exe (PID: 3380)
  - AnyDesk.exe (PID: 3360)
  - AnyDesk.exe (PID: 3432)
  - AnyDesk.exe (PID: 3852)
  - AnyDesk.exe (PID: 120)
  - AnyDesk.exe (PID: 4080)
  - AnyDesk.exe (PID: 1348)
  - AnyDesk.exe (PID: 1388)
  - setup.exe (PID: 2860)
  - setup.exe (PID: 3808)
  - IMEKLMG.EXE (PID: 3596)
  - IMEKLMG.EXE (PID: 1560)
  - AnyDesk.exe (PID: 992)
  - wmpnscfg.exe (PID: 1624)
  - wmpnscfg.exe (PID: 3712)
- Reads the machine GUID from the registry
  - AnyDesk.exe (PID: 1036)
  - AnyDesk.exe (PID: 452)
  - AnyDesk.exe (PID: 3432)
  - AnyDesk.exe (PID: 1408)
  - AnyDesk.exe (PID: 2820)
- Reads CPU info
  - AnyDesk.exe (PID: 1036)
  - AnyDesk.exe (PID: 3432)
- Creates files in the program directory
  - AnyDesk.exe (PID: 2820)
  - AnyDesk.exe (PID: 1408)
  - AnyDesk.exe (PID: 120)
  - ie4uinit.exe (PID: 3436)
  - chrmstp.exe (PID: 116)
  - chrmstp.exe (PID: 2928)
  - setup.exe (PID: 3808)
  - setup.exe (PID: 2860)
  - setup.exe (PID: 1696)
- Manual execution by a user
  - AnyDesk.exe (PID: 3380)
  - AnyDesk.exe (PID: 3432)
  - ie4uinit.exe (PID: 3436)
  - ie4uinit.exe (PID: 2496)
  - unregmp2.exe (PID: 2980)
  - ie4uinit.exe (PID: 2812)
  - chrmstp.exe (PID: 116)
  - regsvr32.exe (PID: 4012)
  - setup.exe (PID: 1696)
  - IMEKLMG.EXE (PID: 1560)
  - IMEKLMG.EXE (PID: 3596)
  - AnyDesk.exe (PID: 992)
  - wmpnscfg.exe (PID: 3712)
  - wmpnscfg.exe (PID: 1624)
- Reads security settings of Internet Explorer
  - ie4uinit.exe (PID: 3436)
  - sipnotify.exe (PID: 548)
- Application launched itself
  - chrmstp.exe (PID: 2928)
  - chrmstp.exe (PID: 116)
  - msedge.exe (PID: 3768)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:11:09 08:48:10+01:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	10752
InitializedDataSize:	5496832
UninitializedDataSize:	19445760
EntryPoint:	0x1ce5
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	8.0.6.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	AnyDesk Software GmbH
FileDescription:	AnyDesk
FileVersion:	8.0.6
ProductName:	AnyDesk
ProductVersion:	8
LegalCopyright:	(C) 2022 AnyDesk Software GmbH

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

108

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

"C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\chrmstp.exe

—

explorer.exe

User:

Administrator

Company:

Google LLC

Integrity Level:

HIGH

Description:

Google Chrome Installer

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\109.0.5414.120\installer\chrmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shell32.dll

120

"C:\Program Files\AnyDesk\AnyDesk.exe" --backend

C:\Program Files\AnyDesk\AnyDesk.exe

—

AnyDesk.exe

User:

SYSTEM

Company:

AnyDesk Software GmbH

Integrity Level:

SYSTEM

Description:

AnyDesk

Exit code:

Version:

8.0.6

Modules

Images
c:\program files\anydesk\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

316

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd4,0x6f3af598,0x6f3af5a8,0x6f3af5b4

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

452

"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" --local-service

C:\Users\admin\AppData\Local\Temp\AnyDesk.exe

AnyDesk.exe

User:

admin

Company:

AnyDesk Software GmbH

Integrity Level:

MEDIUM

Description:

AnyDesk

Exit code:

9099

Version:

8.0.6

Modules

Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

548

C:\Windows\system32\sipnotify.exe -LogonOrUnlock

C:\Windows\System32\sipnotify.exe

taskeng.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

sipnotify

Exit code:

Version:

6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)

Modules

Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

900

C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36

C:\Windows\System32\rundll32.exe

—

ie4uinit.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

908

C:\Windows\system32\EOSNotify.exe

C:\Windows\System32\EOSNotify.exe

—

services.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

EOS Notification

Exit code:

Version:

6.1.7601.24544 (win7sp1_ldr_escrow.191230-1647)

Modules

Images
c:\windows\system32\eosnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

948

C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m

C:\Windows\System32\rundll32.exe

—

ie4uinit.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

980

"taskhost.exe"

C:\Windows\System32\taskhost.exe

services.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Host Process for Windows Tasks

Exit code:

1073807364

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

992

"C:\Program Files\AnyDesk\AnyDesk.exe" --control

C:\Program Files\AnyDesk\AnyDesk.exe

—

explorer.exe

User:

Administrator

Company:

AnyDesk Software GmbH

Integrity Level:

HIGH

Description:

AnyDesk

Exit code:

Version:

8.0.6

Modules

Images
c:\program files\anydesk\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

Add for printing

Total events

23 910

Read events

23 062

Write events

841

Delete events

Modification events


(PID) Process:	(1036) AnyDesk.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1036) AnyDesk.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1036) AnyDesk.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1036) AnyDesk.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2820) AnyDesk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	GlobalAssocChangedCounter
Value: 115
(PID) Process:	(1408) AnyDesk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:	write	Name:	DisplayName
Value: AnyDesk
(PID) Process:	(1408) AnyDesk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:	write	Name:	DisplayVersion
Value: ad 8.0.6
(PID) Process:	(1408) AnyDesk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:	write	Name:	VersionMajor
Value: 8
(PID) Process:	(1408) AnyDesk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:	write	Name:	VersionMinor
Value: 0
(PID) Process:	(1408) AnyDesk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:	write	Name:	VersionBuild
Value: 6

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1036	AnyDesk.exe	C:\Users\admin\AppData\Roaming\AnyDesk\user.conf		text
		MD5:A787C308BD30D6D844E711D7579BE552	SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
1036	AnyDesk.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AFFHT3VQHBTTSBDEVDKZ.temp		binary
		MD5:6FC4DF2DFBA2A27CAFAD3D7D28A88D47	SHA256:CC33D29C66E215AED8BEB82606A82CB0001FFAE3138CB3CB081318715A911801
3432	AnyDesk.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms		binary
		MD5:F3F6CDD4A56182A6BB052C41225A40D7	SHA256:A25F48B8CC33DB8A9503CB1ED0E579A54BBAA998F20D071B83B67F3E1585E4C6
2820	AnyDesk.exe	C:\Program Files\AnyDesk\AnyDesk.exe		executable
		MD5:75EECC3A8B215C465F541643E9C4F484	SHA256:EC33D8EE9C3881B8FCEA18F9F862D5926D994553AEC1B65081D925AFD3E8B028
2820	AnyDesk.exe	C:\Users\Public\Desktop\AnyDesk.lnk		binary
		MD5:A9CA692CEE1AD5453021C57C66DA236E	SHA256:3C2D4F879D9F63B996C055F1D2E11AAB1D19A795C1875198E7BB5A879DBBD0B3
2820	AnyDesk.exe	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk\AnyDesk.lnk		binary
		MD5:E59CC2FE60A2FA2492B3733549CF05D6	SHA256:F5F22EA8B65442455965C00A324946E9C331C61FE3B2128A78453FDBA4B8DDFA
452	AnyDesk.exe	C:\Users\admin\AppData\Roaming\AnyDesk\connection_trace.txt		binary
		MD5:4F2F0F01E5DA317817A2E38C44A742C1	SHA256:1011AC8C7831483C03A4D3946F879D301A2C19EDCFF23EA451C88AE6F0250049
2820	AnyDesk.exe	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk		binary
		MD5:AE765CD860CA58751284A48B3CBC9A6D	SHA256:BE445B7CE9293930F15B411C7FCEA8CEC5956C2420F896DBA4D2F56D036ACE26
3432	AnyDesk.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RF15a61d.TMP		binary
		MD5:6FC4DF2DFBA2A27CAFAD3D7D28A88D47	SHA256:CC33D29C66E215AED8BEB82606A82CB0001FFAE3138CB3CB081318715A911801
452	AnyDesk.exe	C:\Users\admin\AppData\Roaming\AnyDesk\system.conf		text
		MD5:0C04AD1083DC5C7C45E3EE2CD344AE38	SHA256:6452273C017DB7CBE0FFC5B109BBF3F8D3282FB91BFA3C5EABC4FB8F1FC98CB0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
548	sipnotify.exe	HEAD	200	23.210.119.212:80	http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133507029499270000	unknown	—	—	unknown
—	—	POST	200	18.245.86.79:80	http://api.playanext.com/httpapi	unknown	—	—	unknown
548	sipnotify.exe	GET	200	23.210.119.212:80	http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133507029499270000	unknown	compressed	78.4 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
452	AnyDesk.exe	49.12.130.236:443	boot.net.anydesk.com	Hetzner Online GmbH	DE	unknown
452	AnyDesk.exe	49.12.130.236:80	boot.net.anydesk.com	Hetzner Online GmbH	DE	unknown
452	AnyDesk.exe	49.12.130.236:6568	boot.net.anydesk.com	Hetzner Online GmbH	DE	unknown
452	AnyDesk.exe	208.115.231.38:443	relay-acbffbf3.net.anydesk.com	LIMESTONENETWORKS	US	unknown
—	—	192.168.100.91:49173	—	—	—	unknown
452	AnyDesk.exe	10.26.167.43:7070	—	—	—	unknown
452	AnyDesk.exe	173.20.44.6:56188	—	MEDIACOM-ENTERPRISE-BUSINESS	US	unknown
452	AnyDesk.exe	173.20.44.6:7070	—	MEDIACOM-ENTERPRISE-BUSINESS	US	unknown
1408	AnyDesk.exe	208.115.231.38:443	relay-acbffbf3.net.anydesk.com	LIMESTONENETWORKS	US	unknown

DNS requests

Domain	IP	Reputation
boot.net.anydesk.com	49.12.130.236	unknown
relay-acbffbf3.net.anydesk.com	208.115.231.38	unknown
relay-10d0d168.net.anydesk.com	208.115.231.206	unknown
query.prod.cms.rt.microsoft.com	23.210.119.212	whitelisted
relay-48ce591e.net.anydesk.com	208.115.231.102	unknown
api.playanext.com	18.245.86.105 18.245.86.26 18.245.86.84 18.245.86.79	whitelisted

Threats

PID	Process	Class	Message
452	AnyDesk.exe	Misc activity	ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
—	—	Potential Corporate Privacy Violation	ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent

Add for printing

No debug info

General Info

AnyDesk.exe

75EECC3A8B215C465F541643E9C4F484

3AD1F800B63640128BFDCC8DBEE909554465EE11

EC33D8EE9C3881B8FCEA18F9F862D5926D994553AEC1B65081D925AFD3E8B028

98304:xEhZCn2N8X+7A2qiwQPq5jGbmUX4j98EjlWipPUQAD0hrKKnpdZYki3qe3Bv9PRi:uPqKJ1K/rSOr

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Create files in the Startup directory

Creates a writable file in the system directory

Steals credentials from Web Browsers

Antivirus name has been found in the command line (generic signature)

Changes the autorun value in the registry

SUSPICIOUS

Application launched itself

Reads the Internet Settings

Connects to unusual port

Executable content was dropped or overwritten

Executes as Windows Service

Searches for installed software

Creates a software uninstall entry

The process executes via Task Scheduler

Reads Internet Explorer settings

Changes internet zones settings

Reads Microsoft Outlook installation path

Changes default file association

Uses RUNDLL32.EXE to load library

Write to the desktop.ini file (may be used to cloak folders)

Reads settings of System Certificates

INFO

Creates files or folders in the user directory

Checks supported languages

Process checks whether UAC notifications are on

Reads the computer name

Reads the machine GUID from the registry

Reads CPU info

Creates files in the program directory

Manual execution by a user

Reads security settings of Internet Explorer

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests