File name:

AnyDesk.exe

Full analysis: https://app.any.run/tasks/db2a65da-71e6-4895-bfbc-5f3adc98c371
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: April 12, 2025, 04:17:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anydesk
rmm-tool
adware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

4DEAA1198421E4E8B97E0029D8A7F901

SHA1:

7572C60B658895A91F3F833E2CB9EAD832236F46

SHA256:

FC166EF59FC0F2EAFB394BA07A05FD5DE2C3EC716FB4F635938E515F40DDA41D

SSDEEP:

98304:EPC07Ag3HmDMShovLyGb3GOLxCrQf6pG+9+Wm7xsoFCix/jjjeS30POCuRfGt/Fe:SsuqhdZIR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been detected (SURICATA)

      • AnyDesk.exe (PID: 4380)

  • SUSPICIOUS

    • ANYDESK has been found

      • AnyDesk.exe (PID: 6040)

    • Application launched itself

      • AnyDesk.exe (PID: 6040)

    • ANYDESK mutex has been found

      • AnyDesk.exe (PID: 6040)
      • AnyDesk.exe (PID: 4380)
      • AnyDesk.exe (PID: 1672)

    • Executable content was dropped or overwritten

      • AnyDesk.exe (PID: 4380)

    • Potential Corporate Privacy Violation

      • AnyDesk.exe (PID: 4380)

    • Access to an unwanted program domain was detected

      • AnyDesk.exe (PID: 4380)

  • INFO

    • Checks supported languages

      • AnyDesk.exe (PID: 6040)
      • AnyDesk.exe (PID: 1672)
      • AnyDesk.exe (PID: 4380)

    • Reads the computer name

      • AnyDesk.exe (PID: 6040)
      • AnyDesk.exe (PID: 4380)
      • AnyDesk.exe (PID: 1672)

    • Process checks whether UAC notifications are on

      • AnyDesk.exe (PID: 6040)

    • The sample compiled with english language support

      • AnyDesk.exe (PID: 6040)
      • AnyDesk.exe (PID: 4380)

    • Creates files or folders in the user directory

      • AnyDesk.exe (PID: 1672)
      • AnyDesk.exe (PID: 4380)
      • AnyDesk.exe (PID: 6040)

    • Reads the machine GUID from the registry

      • AnyDesk.exe (PID: 4380)
      • AnyDesk.exe (PID: 6040)

    • Checks proxy server information

      • AnyDesk.exe (PID: 1672)

    • Reads CPU info

      • AnyDesk.exe (PID: 1672)

    • Process checks computer location settings

      • AnyDesk.exe (PID: 4380)
      • AnyDesk.exe (PID: 1672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:20 10:47:21+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 5611520
UninitializedDataSize: 18648576
EntryPoint: 0x1ce5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 9.0.5.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 9.0.5
ProductName: AnyDesk
ProductVersion: 9
LegalCopyright: (C) 2025 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start anydesk.exe no specs #ADWARE anydesk.exe anydesk.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1672"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" --local-controlC:\Users\admin\AppData\Local\Temp\AnyDesk.exeAnyDesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.0.5
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
4380"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" --local-serviceC:\Users\admin\AppData\Local\Temp\AnyDesk.exe
AnyDesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.0.5
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
6040"C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" C:\Users\admin\AppData\Local\Temp\AnyDesk.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.0.5
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
7520C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
1 073
Read events
1 073
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
237
Unknown types
0

Dropped files

PID
Process
Filename
Type
6040AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF10b78a.TMP
MD5:
SHA256:
6040AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF10b817.TMP
MD5:
SHA256:
6040AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF10b855.TMP
MD5:
SHA256:
6040AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF10b865.TMP
MD5:
SHA256:
6040AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF10b96e.TMP
MD5:
SHA256:
6040AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF10b97e.TMP
MD5:
SHA256:
6040AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF10b98e.TMP
MD5:
SHA256:
4380AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conf~RF10bb43.TMP
MD5:
SHA256:
1672AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF10bb72.TMP
MD5:
SHA256:
1672AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF10bb82.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
16
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7360
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7360
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4380
AnyDesk.exe
POST
200
18.245.86.79:80
http://api.playanext.com/httpapi
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4380
AnyDesk.exe
57.129.37.28:443
boot.net.anydesk.com
FR
whitelisted
4380
AnyDesk.exe
51.178.65.229:443
relay-07ea9365.net.anydesk.com
OVH SAS
FR
whitelisted
6544
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.28
whitelisted
google.com
  • 142.250.185.174
whitelisted
boot.net.anydesk.com
  • 185.229.190.236
  • 195.181.174.167
  • 57.129.37.75
  • 92.223.88.41
  • 92.223.88.232
  • 92.223.88.7
  • 57.129.19.230
  • 185.229.191.44
  • 185.229.191.39
  • 57.129.37.28
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
relay-07ea9365.net.anydesk.com
  • 51.178.65.229
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.130
  • 20.190.160.64
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.134
  • 40.126.32.72
  • 20.190.160.132
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2196
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2196
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Domain (boot .net .anydesk .com) in DNS Lookup
4380
AnyDesk.exe
Potential Corporate Privacy Violation
ET REMOTE_ACCESS AnyDesk Remote Desktop Software User-Agent
4380
AnyDesk.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Driver Updater Setup Process
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnyDesk.exe