File name:

anydesk-8-0-6.exe

Full analysis: https://app.any.run/tasks/b42f36e7-0913-4563-8013-1232a1a4f49b
Verdict: Malicious activity
Analysis date: February 13, 2024, 11:10:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

75EECC3A8B215C465F541643E9C4F484

SHA1:

3AD1F800B63640128BFDCC8DBEE909554465EE11

SHA256:

EC33D8EE9C3881B8FCEA18F9F862D5926D994553AEC1B65081D925AFD3E8B028

SSDEEP:

98304:xEhZCn2N8X+7A2qiwQPq5jGbmUX4j98EjlWipPUQAD0hrKKnpdZYki3qe3Bv9PRi:uPqKJ1K/rSOr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • anydesk-8-0-6.exe (PID: 2020)
      • anydesk-8-0-6.exe (PID: 5608)

  • SUSPICIOUS

    • Found AnyDesk certificate that may have been compromised

      • anydesk-8-0-6.exe (PID: 2020)
      • anydesk-8-0-6.exe (PID: 3156)
      • anydesk-8-0-6.exe (PID: 5608)

    • Executable content was dropped or overwritten

      • anydesk-8-0-6.exe (PID: 5608)

    • Application launched itself

      • anydesk-8-0-6.exe (PID: 2020)

    • Connects to unusual port

      • anydesk-8-0-6.exe (PID: 5608)

  • INFO

    • Reads the computer name

      • anydesk-8-0-6.exe (PID: 2020)
      • anydesk-8-0-6.exe (PID: 3156)
      • anydesk-8-0-6.exe (PID: 5608)

    • Checks supported languages

      • anydesk-8-0-6.exe (PID: 2020)
      • anydesk-8-0-6.exe (PID: 5608)
      • anydesk-8-0-6.exe (PID: 3156)

    • Process checks whether UAC notifications are on

      • anydesk-8-0-6.exe (PID: 2020)

    • Checks proxy server information

      • slui.exe (PID: 1764)
      • anydesk-8-0-6.exe (PID: 3156)

    • Reads the software policy settings

      • slui.exe (PID: 1764)

    • Creates files or folders in the user directory

      • anydesk-8-0-6.exe (PID: 2020)

    • Reads CPU info

      • anydesk-8-0-6.exe (PID: 2020)

    • Process checks computer location settings

      • anydesk-8-0-6.exe (PID: 5608)
      • anydesk-8-0-6.exe (PID: 3156)

    • Reads the machine GUID from the registry

      • anydesk-8-0-6.exe (PID: 5608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:09 07:48:10+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 5496832
UninitializedDataSize: 19445760
EntryPoint: 0x1ce5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 8.0.6.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 8.0.6
ProductName: AnyDesk
ProductVersion: 8
LegalCopyright: (C) 2022 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start anydesk-8-0-6.exe no specs anydesk-8-0-6.exe anydesk-8-0-6.exe no specs slui.exe filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1764C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
2020"C:\Users\admin\Desktop\anydesk-8-0-6.exe" C:\Users\admin\Desktop\anydesk-8-0-6.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.6
Modules
Images
c:\users\admin\desktop\anydesk-8-0-6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
3156"C:\Users\admin\Desktop\anydesk-8-0-6.exe" --local-controlC:\Users\admin\Desktop\anydesk-8-0-6.exeanydesk-8-0-6.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.6
Modules
Images
c:\users\admin\desktop\anydesk-8-0-6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
5608"C:\Users\admin\Desktop\anydesk-8-0-6.exe" --local-serviceC:\Users\admin\Desktop\anydesk-8-0-6.exe
anydesk-8-0-6.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
8.0.6
Modules
Images
c:\users\admin\desktop\anydesk-8-0-6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
Total events
5 440
Read events
5 440
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
5608anydesk-8-0-6.exeC:\Users\admin\AppData\Roaming\AnyDesk\service.conftext
MD5:E1611676B9D212DE83032006DAE2425D
SHA256:DE706D0D38C19649ACE101C682E7D3DA8D57727DB574DF76C3A9314A7CC1E6B9
2020anydesk-8-0-6.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LNPLZN55XRCTTYUO45RL.tempbinary
MD5:2854CC16A87084339F1C5008417805DF
SHA256:0518F6977C05D23DE150999FD38A1E0D563A5A07DDAEF83C4D1689A7F993CFF3
2020anydesk-8-0-6.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-msbinary
MD5:2854CC16A87084339F1C5008417805DF
SHA256:0518F6977C05D23DE150999FD38A1E0D563A5A07DDAEF83C4D1689A7F993CFF3
5608anydesk-8-0-6.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conftext
MD5:0C04AD1083DC5C7C45E3EE2CD344AE38
SHA256:6452273C017DB7CBE0FFC5B109BBF3F8D3282FB91BFA3C5EABC4FB8F1FC98CB0
2020anydesk-8-0-6.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conftext
MD5:A787C308BD30D6D844E711D7579BE552
SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
536FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-02-13.1119.536.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
536FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-02-13.1119.536.1.odlbinary
MD5:F52555BFE707CE1687988A34757EF717
SHA256:04BCC757CE08C98D62C784E030486F44C293E8C9973B11967E5A86458BD37618
5608anydesk-8-0-6.exeC:\Users\admin\Desktop\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
5608anydesk-8-0-6.exeC:\Users\admin\AppData\Local\Temp\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
135
DNS requests
26
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6912
SIHClient.exe
GET
304
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
5608
anydesk-8-0-6.exe
POST
200
18.245.86.105:80
http://api.playanext.com/httpapi
unknown
unknown
6912
SIHClient.exe
GET
200
13.85.23.86:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
6912
SIHClient.exe
GET
200
23.204.115.179:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
binary
824 b
unknown
6912
SIHClient.exe
GET
200
23.38.201.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
binary
813 b
unknown
6912
SIHClient.exe
GET
200
23.38.201.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
6912
SIHClient.exe
GET
200
23.204.115.179:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
binary
555 b
unknown
6912
SIHClient.exe
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
6912
SIHClient.exe
GET
200
23.38.201.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
binary
813 b
unknown
6912
SIHClient.exe
GET
200
23.38.201.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
binary
400 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5608
anydesk-8-0-6.exe
49.12.130.235:443
boot.net.anydesk.com
Hetzner Online GmbH
DE
unknown
5608
anydesk-8-0-6.exe
49.12.130.235:80
boot.net.anydesk.com
Hetzner Online GmbH
DE
unknown
4
System
192.168.100.255:138
whitelisted
5608
anydesk-8-0-6.exe
57.128.141.164:443
relay-d4aa0625.net.anydesk.com
OVH SAS
FR
unknown
5608
anydesk-8-0-6.exe
57.128.141.164:80
relay-d4aa0625.net.anydesk.com
OVH SAS
FR
unknown
5608
anydesk-8-0-6.exe
57.128.141.164:6568
relay-d4aa0625.net.anydesk.com
OVH SAS
FR
unknown
5608
anydesk-8-0-6.exe
57.128.141.165:443
relay-0135ac48.net.anydesk.com
OVH SAS
FR
unknown
5608
anydesk-8-0-6.exe
57.128.141.165:80
relay-0135ac48.net.anydesk.com
OVH SAS
FR
unknown
5608
anydesk-8-0-6.exe
57.128.141.154:443
relay-aeafd8c0.net.anydesk.com
OVH SAS
FR
unknown

DNS requests

Domain
IP
Reputation
boot.net.anydesk.com
  • 49.12.130.235
  • 141.95.145.210
unknown
relay-d4aa0625.net.anydesk.com
  • 57.128.141.164
unknown
relay-0135ac48.net.anydesk.com
  • 57.128.141.165
unknown
relay-aeafd8c0.net.anydesk.com
  • 57.128.141.154
unknown
relay-2cf7befd.net.anydesk.com
  • 195.181.165.139
unknown
api.playanext.com
  • 18.245.86.84
  • 18.245.86.26
  • 18.245.86.79
  • 18.245.86.105
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
www.microsoft.com
  • 23.38.201.156
whitelisted
crl.microsoft.com
  • 23.204.115.179
  • 23.204.115.168
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
5608
anydesk-8-0-6.exe
Misc activity
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
5608
anydesk-8-0-6.exe
Potential Corporate Privacy Violation
ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
Misc activity
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
anydesk-8-0-6.exe