Windows Analysis Report
T0pdaslk-guangwang-winelkxcac-64.msi

Overview

General Information

Sample name:	T0pdaslk-guangwang-winelkxcac-64.msi
Analysis ID:	1621377
MD5:	09fc3a5af26388a6909a2b0643ad644e
SHA1:	83423788bb21f3a47e02f89d3e604bf135f42080
SHA256:	0c8017e92fd56f96da5b8f01c219d4a90f80da94b360c59ce81618c9df55c88b
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected GhostRat

Allocates memory in foreign processes

Changes security center settings (notifications, updates, antivirus, firewall)

Detected VMProtect packer

Drops password protected ZIP file

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Modifies the windows firewall

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Performs DNS TXT record lookups

Sample is not signed and drops a device driver

Sets debug register (to hijack the execution of another thread)

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect debuggers (CloseHandle check)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Stores large binary data to the registry

Yara signature match

Classification

Signatures

Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_96b3629b-7

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\CrashReport.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\ToDesk.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\uninst.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\zrtc.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\tdgamepad.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamePad.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdidd.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\todeskvhid.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.inf	Jump to behavior
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\config.ini
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\zrtcserviceewwszqlz_2025_02_21.log

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\gitlab\vhid\driver\umdf2\x64\Release\TodeskVhid.pdb source: ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000041E000.00000004.00000001.01000000.0000000C.sdmp, ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000040A000.00000004.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\stdDllWrapper.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, 4cdca3.rbs.2.dr, MSIE927.tmp.2.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1602453751.00007FFF415B2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: zrtc.dll.pdb source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26671000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: E:\NiuniuCapture\niuniu_src\nsNiuniuSkin\plugin\nsNiuniuDUI.pdb source: ToDesk_Setup.exe, 00000012.00000002.1883171743.000000006D111000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: virtual_camera_x86.dll.pdb source: virtual_camera_x86.dll.18.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb. source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_crypto\ex_data.c source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, MSIA690.tmp.1.dr, MSI2A0D.tmp.1.dr, MSIA621.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_ source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\explorer.exe	File opened: z:
Source: C:\Windows\explorer.exe	File opened: x:
Source: C:\Windows\explorer.exe	File opened: v:
Source: C:\Windows\explorer.exe	File opened: t:
Source: C:\Windows\explorer.exe	File opened: r:
Source: C:\Windows\explorer.exe	File opened: p:
Source: C:\Windows\explorer.exe	File opened: n:
Source: C:\Windows\explorer.exe	File opened: l:
Source: C:\Windows\explorer.exe	File opened: j:
Source: C:\Windows\explorer.exe	File opened: h:
Source: C:\Windows\explorer.exe	File opened: f:
Source: C:\Windows\System32\svchost.exe	File opened: d:	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: b:
Source: C:\Windows\explorer.exe	File opened: y:
Source: C:\Windows\explorer.exe	File opened: w:
Source: C:\Windows\explorer.exe	File opened: u:
Source: C:\Windows\explorer.exe	File opened: s:
Source: C:\Windows\explorer.exe	File opened: q:
Source: C:\Windows\explorer.exe	File opened: o:
Source: C:\Windows\explorer.exe	File opened: m:
Source: C:\Windows\explorer.exe	File opened: k:
Source: C:\Windows\explorer.exe	File opened: i:
Source: C:\Windows\explorer.exe	File opened: g:
Source: C:\Windows\explorer.exe	File opened: e:
Source: C:\Program Files\ToDesk\ToDesk.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: [:

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052875 - Severity 1 - ET MALWARE Winos4.0 Framework CnC Login Message : 192.168.2.16:49909 -> 47.238.100.22:4433

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 47.238.100.22 4433

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.16:49909 -> 47.238.100.22:4433

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CHARTER-20115US CHARTER-20115US

Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22

Source: global traffic	DNS traffic detected: DNS query: authds.todesk.com
Source: global traffic	DNS traffic detected: DNS query: authds.kylinlot.com
Source: global traffic	DNS traffic detected: DNS query: todeskcdnspeed.todesk.com

Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://.jpg
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http:///dump.php?dumpserver.compresstypelognamedatetimedate
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://EVSecure-crl.geotrust.com/GeoTrustPCA.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://EVSecure-ocsp.geotrust.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia.startssl.com/certs/ca.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia.startssl.com/certs/ca.crt02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia1.wosign.com/ca1-class3-server.cer0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia1.wosign.com/ca1g2-server3.cer0
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://apibuss.RemoteTemporaryPasswordRemoteReplicationIDUpdateTempPassCustomChangePassword:x
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.000000000724F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.entrust.net/g2ca.crl0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.entrust.net/rootca1.crl0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/GeoTrustPCA-G3.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0F
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0N
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.globalsign.com/root.crl0V
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0=
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.startssl.com/sfsca.crl0f
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA-G3.crl0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: svchost.exe, 00000000.00000002.2507661800.000001EB66200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.ws.symantec.com/universal-root.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.000000000724F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, virtual_camera_x86.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.00000000088EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2060237428.00000000088EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.000000000724F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crls1.wosign.com/ca1.crl0m
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crls1.wosign.com/ca1.crl0q
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe, 00000033.00000003.1895351771.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1893771860.00000208CF80C000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1903608888.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1893565314.000001B611B45000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2246294725.00000271BDF05000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243853530.000001ED0F0E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dumpserver.todesk.com/dump.php
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://dumpserver.todesk.com/dump.phpSymInitialize
Source: svchost.exe, 00000000.00000003.1203206451.000001EB66130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://faac.sourceforge.net/)
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcb.com/GeoTrustPCA-G3.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0.
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcd.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcd.com0L
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g1.symcb.com/GeoTrustPCA.crl0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g1.symcb.com/crls/gtglobal.crl0/
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g2.symcb.com0G
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g2.symcb.com0L
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: ToDesk_Setup.exe, 0000000F.00000000.1551522906.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000040A000.00000004.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF2609C000.00000002.00000001.01000000.00000018.sdmp, virtual_camera_x86.dll.18.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.digicert.com0M
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.00000000071CD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.entrust.net00
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.entrust.net02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.geotrust.com0L
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr10
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.godaddy.com/02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0J
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/08
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.startssl.com/ca0-
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.startssl.com/ca00
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.startssl.com00
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.thawte.com0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.ws.symantec.com0k
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp1.wosign.com/ca104
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp1.wosign.com/ca108
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://pca-g3-ocsp.geotrust.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s../../net/third_party/quiche/src/quic/core/crypto/certificate_view.cc
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s../../net/third_party/quiche/src/quic/core/crypto/certificate_view.ccInvalid
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s2.symcb.com0k
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 0000000E.00000000.1545905770.00000000025F0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://subca.ocsp-certum.com0.
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t.symcb.com/ThawtePCA.crl0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t.symcd.com01
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0/
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t2.symcb.com0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t2.symcb.com0A
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B16000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2246294725.00000271BDF05000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2242807873.000001ED0F0AB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243853530.000001ED0F0E3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0AA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0A9000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/&
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/&oq
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/2
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/4
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/8
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/AT;.CMD;.VBS;.VBE;.JS;7
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/F
Source: ToDesk.exe, 00000033.00000003.1895351771.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1893771860.00000208CF80C000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1903608888.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/G
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/In
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/J
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/N
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/OCESSORS=4
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/OGONSERVER=9
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/P
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/R
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/SCPROCESSO
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/System32
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/TPath=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/Windows
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/amW6432=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/b
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/https://uc.todesk.com/https://user.todesk.com/upload.php?token=tode
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/ily
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/ineIntelPR
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/les;C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/m
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/m32
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/mW6432=C:
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/o
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/odules;C:
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/p
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/p_
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/rh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/s
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/t3
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/vh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/ws
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/~h
Source: svchost.exe, 00000005.00000002.1368418659.000001CA68213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.entrust.net/CPS0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.entrust.net/rpa0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps06
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0A
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.keynectis.com/PC07
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.keynectis.com/PC08
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/policy0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/sfsca.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/sfsca.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/rpa0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/rpa0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF260B7000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-timehttp://www.ietf.org/id/draft-holmer-rmcat-
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-timehttp://www.webrtc.org/experiments/rtp-hdre
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02http://www.webrtc.org/experiments/r
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllNULinvalid
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.wosign.com/policy/0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppche_16.dbK
Source: explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2008974722.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS0
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2008974722.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS2F
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2008974722.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSdf
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008710000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.000000000875E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000E.00000000.1545476893.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1546224158.0000000002F60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2520908782.0000000002F7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000E.00000000.1556114866.00000000087E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.0000000008821000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=BD3E37D8C4964A928E655AAA177D65C1&timeOut=5000&oc
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2520908782.0000000002F85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1546224158.0000000002F60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: explorer.exe, 0000000E.00000000.1556114866.00000000087E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.0000000008802000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/WindyV2.svg
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://becausemomsays.com/she-wanted-to-keep-her-deceased-husbands-ring-so-she-selfishly-denied-her
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0vJ
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0vJ-dark
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK0V
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK0V-dark
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://certs.starfieldtech.com/repository/0
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cookpolitical.com/2020-national-popular-vote-tracker
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF261FA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/1053756
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF261FA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/1053756ICE
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF261FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/778929.
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF261FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/778929.%016llX%016llXKernel32.dll../../base/threading/platform_thread_win.ccJoin((
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2242807873.000001ED0F0AB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0AA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0A9000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download(
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download)
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download1
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download7v
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download8
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download86)=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download:
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadC:
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadEB
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadNh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadPATHEX
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadProgramA
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadROCESSOR_IDENT3
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadV
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadZh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadf
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadgram
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadj
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadm
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadneIntelPROCES/
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadngComm
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadogramDa
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadram
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadstem32
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadstemDri
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadtem32
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadtions
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadverData=C:
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadws
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadwsTEMP
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadystem32
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadz5
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download~
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2238241659.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243465242.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0A3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console$
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console(
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console.
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console.xS
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console0
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console0Ds
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console5
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console5x
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console9
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console:Di
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console;C:
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleA
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleC:
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleE;.J
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleF
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleG
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleH
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleP
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleRS=4
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleW7
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleY
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleZ
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleali
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleb
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolec
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoledy
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolee
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolei
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolek
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleky
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolele
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD331000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleo
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolep
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleq
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleq$
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoles
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleuy
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolew
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolex
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console~
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com:
Source: ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.comkF
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: svchost.exe, 00000005.00000002.1368925789.000001CA68259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366238872.000001CA6826E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366943277.000001CA68243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1369090764.000001CA68272000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366875764.000001CA6825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000003.1366292360.000001CA68267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.1366238872.000001CA6826E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1369064034.000001CA68265000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366875764.000001CA6825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.1368584214.000001CA6822B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366292360.000001CA68267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1368767624.000001CA6823F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1369064034.000001CA68265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000002.1368767624.000001CA6823F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.todesk.com/windowsDownloadAppFilekernel32::IsWow64Process2(ps
Source: svchost.exe, 00000005.00000003.1367150084.000001CA68230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000002.1368767624.000001CA6823F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366943277.000001CA68243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.1367150084.000001CA68230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.1368584214.000001CA6822B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366292360.000001CA68267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2040398375.000000000BFDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comA
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://financebuzz.com/top-signs-of-financial-fitness?utm_source=msn&utm_medium=feed&synd_slide=1&s
Source: svchost.exe, 00000000.00000003.1203206451.000001EB661A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000000.00000003.1203206451.000001EB66192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26109000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/6293
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA10WNpO.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bAqmF.img
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hIktm.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hMa61.img
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42cl9.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://news.gallup.com/poll/247016/conservatives-greatly-outnumber-liberals-states.aspx
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2040398375.000000000BFDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comsoft.A
Source: explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2050416734.000000000C06F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe, 00000033.00000003.1893771860.00000208CF830000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1898912108.00000208CF831000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1893847062.000001B611B4F000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2223054731.00000271BDF2E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDF2A000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2222871379.000001ED0F101000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st.todesk.com
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st.todesk.comPJ:
Source: ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1893847062.000001B611B4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st.todesk.comoG
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://stacker.com/
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://stacker.com/politics/states-most-conservatives-0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26374000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://streams.videolan.org/upload/
Source: svchost.exe, 00000005.00000003.1366943277.000001CA68243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000003.1366926488.000001CA6823D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366926488.000001CA6823D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366910703.000001CA6824A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366432207.000001CA6825D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000002.1368584214.000001CA6822B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000002.1368925789.000001CA68259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2238241659.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243465242.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0A3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/1y
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/;y
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/A
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Cy
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Dx3
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/E
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/H
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/K
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/M
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Qy
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/T
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Wy
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ation
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ay
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/d
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/erponse
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/esponseo
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/est
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/f
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/j
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/l
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/o
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ol
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/on
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=100&orderType=0
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=100&orderType=0WhiteBoardUpdateToastinputTextinputT
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=2&orderType=0
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=2&orderType=0MatchScreenModifyMarkEndRemoteControlC
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ormation
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ormationry
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/p
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/pnnse
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/rol
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/t
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/u
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/y
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.comamession
Source: ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.comhF
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.comhttps://daas.todesk.comipc__pipe134.175.254.188capture__Client_9BEF579D5A8F_Ses
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.comj
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://update.todesk.com/tdpdfprinter.exe
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://update.todesk.com/tdpdfprinter.exetdprinter.tmp.tmpwbab
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B16000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2246294725.00000271BDF05000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2242807873.000001ED0F0AB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243853530.000001ED0F0E3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0AA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0A9000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=$
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=.
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=0
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=6
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=:
Source: ToDesk.exe, 00000033.00000003.1893771860.00000208CF80C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=?
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=B
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=CESSORS=4OS=WK
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=COMPUT
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Data=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=ESSOR_I
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=FILE=user-PCUWv
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=FilesC
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Jh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Program
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=S;.VBE;
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=System
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=USERNAs
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Z
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=_REVISI
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=amily
Source: ToDesk.exe, 00000033.00000002.1902486191.00000208CF7ED000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=c
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=e
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=ePath=C:
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=fh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=indows
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=indowsP
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=lesCOMPUTERNAW
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=n
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=onProgramFiles
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=profilek
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=r
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=rogram
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=v
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=z
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=~5
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243465242.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0A3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com$
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com$x
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com)
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com0
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com1
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com5
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com8
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comA
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comC:
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comE
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comMy
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comT
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comW
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comWind
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comam
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comaxQ
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD331000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.come
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comezxD
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comn
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comnseLI-P
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comows
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comr
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.coms
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comtionny
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wigreports.com/about/
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008AA9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/gr.exel
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2040398375.000000000BFDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com8E
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.270towin.com/
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.alphassl.com/repository/03
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.financebuzz.com/clever-debt-payoff-55mp?utm_source=msn&utm_medium=feed&synd_slide=1&synd
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.forbes.com/sites/elanagross/2020/10/28/trump-administration-uses-philadelphia-protests-t
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.geotrust.com/resources/cps04
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.geotrust.com/resources/cps06
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.geotrust.com/resources/repository0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/autos/buying/if-your-old-car-has-any-of-these-16-problems-consider-buying-
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/medical/mayo-clinic-minute-who-benefits-from-taking-statins/ar-AA1h
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/medical/scientists-reveal-new-findings-about-older-adults-who-take-
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/15-attributes-of-truly-good-men/ss-AA1hJKQY
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/there-are-8-types-of-intelligence-which-one-is-yo
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/if-any-of-these-11-things-describes-you-you-ve-climb
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/george-santos-former-campaign-treasurer-pleads-guilty-to-fed
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/the-state-with-the-most-liberals-isn-t-userfornia-or-new-yor
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-asks-for-jan-6-dismissal-because-coup-attempt-was-part
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/the-most-stunning-space-images-captured-in-2023-so-far/ar-
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/russian-official-proposes-invading-five-nato-countries/ar-AA1hJ
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/the-nobel-peace-prize-will-be-announced-in-oslo-the-laureate-is
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps07
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.theatlantic.com/politics/archive/2014/02/the-origin-of-liberalism/283780/
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/download.htmlToDesk
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/download.htmlopen
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/licence.htmleditLicenselicence_
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/licence.htmlopen

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443

Creates a DirectInput object (often for capturing keystrokes)

Source: explorer.exe, 00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_92ea00f5-4

Installs a global mouse hook

Source: C:\Windows\explorer.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Installs a raw input device (often for capturing keystrokes)

Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp

Binary or memory string: GetRawInputData

memstr_85bbaee5-4

Drops certificate files (DER)

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\tdgamepad.cat	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\vhid\todeskvhid.cat	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdscreen\tdidd.cat	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000E.00000003.2019014454.000000000C199000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000D.00000002.1586294361.000001EADCDE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000013.00000002.2460978525.0000000000420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000D.00000002.1587648854.000001EADE820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Detected VMProtect packer

Source: Microsoft_Xtools.exe.12.dr

Static PE information: .vmp0 and .vmp1 section names

Drops password protected ZIP file

Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted

Creates driver files

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

File created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4cdca2.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE780.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7DE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{D35AFE46-73B4-4441-81DF-EDEE2029BCB9}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE927.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8A7.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE780.tmp

Jump to behavior

PE file contains more sections than normal

Source: zrtc.dll.18.dr

Static PE information: Number of sections : 18 > 10

Sample file is different than original file name gathered from version info

Source: T0pdaslk-guangwang-winelkxcac-64.msi	Binary or memory string: OriginalFilenamestdDllWrapper.dllF vs T0pdaslk-guangwang-winelkxcac-64.msi
Source: T0pdaslk-guangwang-winelkxcac-64.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs T0pdaslk-guangwang-winelkxcac-64.msi

Yara signature match

Source: 0000000E.00000003.2019014454.000000000C199000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000D.00000002.1586294361.000001EADCDE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000013.00000002.2460978525.0000000000420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000D.00000002.1587648854.000001EADE820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: BgWorker.dll.18.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nsNiuniuSkin.dll.18.dr

Static PE information: Section: UPX1 ZLIB complexity 0.9916166417738971

Source: T0pdaslk-guangwang-winelkxcac-64.msi

Binary or memory string: h.slnu

Source: classification engine

Classification label: mal100.troj.evad.winMSI@79/82@6/5

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ToDesk_Setup

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3908:120:WilError_03
Source: C:\Program Files\ToDesk\ToDesk.exe	Mutant created: \BaseNamedObjects\ToDesk_Service_9BEF579D5A8F
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_03
Source: C:\Program Files\ToDesk\ToDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Program Files\ToDesk\ToDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\ToDesk_Client_9BEF579D5A8F
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIA621.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS

Jump to behavior

Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AdInfoMsg(autoid INTEGER PRIMARY KEY AUTOINCREMENT,adid INTEGER NOT NULL,platform CHAR(256),position CHAR(256),imgurl CHAR(256),refurl CHAR(256),title CHAR(256),tip CHAR(256),begin CHAR(256),end CHAR(256),tipPriority INTEGER NOT NULL,start_timestamp INTEGER NOT NULL,expire_timestamp INTEGER NOT NULL,read INTEGER NOT NULL,push_timestamp INTEGER NOT NULL,adinfoid CHAR(256),userid CHAR(256) );
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO AdInfoMsg VALUES(NULL, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d, %d, '%s','%s');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS SysMsg(autoid INTEGER PRIMARY KEY AUTOINCREMENT,msgid INTEGER NOT NULL,type INTEGER NOT NULL,push_timestamp INTEGER NOT NULL,title CHAR(256),content CHAR(256),refurl CHAR(512),read INTEGER NOT NULL,userid CHAR(256) );
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO SysMsg VALUES(NULL, %d, %d, %d, '%s', '%s', '%s', %d, '%s');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO AdInfoMsg VALUES(NULL, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d, %d,'%s','%s');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\T0pdaslk-guangwang-winelkxcac-64.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 897DC43AA7908FBDF146DB4280A4B33E C
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1D978FC4728A444D05DF5DFC6F0CB94A
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding A42AD45622494486CAE464114BFDCC7F
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe "C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\\Microsoft_Xtools.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\windows\explorer.exe
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Service"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Session"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=out program="C:\Program Files\ToDesk\ToDesk.exe" action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"
Source: unknown	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --runservice
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\ToDesk\ToDesk.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"
Source: C:\Program Files\ToDesk\ToDesk.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --runadmin=true
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 897DC43AA7908FBDF146DB4280A4B33E C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1D978FC4728A444D05DF5DFC6F0CB94A	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding A42AD45622494486CAE464114BFDCC7F	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe "C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\\Microsoft_Xtools.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Service"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Session"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=out program="C:\Program Files\ToDesk\ToDesk.exe" action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Program Files\ToDesk\ToDesk.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: unityplayer.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: mscoree.dll
Source: C:\Windows\explorer.exe	Section loaded: winmm.dll
Source: C:\Windows\explorer.exe	Section loaded: dinput8.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: devenum.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: msdmo.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: ToDesk.lnk.18.dr	LNK file: ..\..\..\Program Files\ToDesk\ToDesk.exe
Source: ToDesk.lnk0.18.dr	LNK file: ..\..\..\..\..\..\Program Files\ToDesk\ToDesk.exe
Source: Uninstall ToDesk.lnk.18.dr	LNK file: ..\..\..\..\..\..\Program Files\ToDesk\uninst.exe

Source: C:\Program Files\ToDesk\ToDesk.exe

File written: C:\Program Files\ToDesk\config.ini

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\CrashReport.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\ToDesk.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\uninst.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\zrtc.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\tdgamepad.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamePad.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdidd.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\todeskvhid.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.inf	Jump to behavior
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\config.ini
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\zrtcserviceewwszqlz_2025_02_21.log

Source: T0pdaslk-guangwang-winelkxcac-64.msi

Static file information: File size 95763456 > 1048576

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\gitlab\vhid\driver\umdf2\x64\Release\TodeskVhid.pdb source: ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000041E000.00000004.00000001.01000000.0000000C.sdmp, ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000040A000.00000004.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\stdDllWrapper.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, 4cdca3.rbs.2.dr, MSIE927.tmp.2.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1602453751.00007FFF415B2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: zrtc.dll.pdb source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26671000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: E:\NiuniuCapture\niuniu_src\nsNiuniuSkin\plugin\nsNiuniuDUI.pdb source: ToDesk_Setup.exe, 00000012.00000002.1883171743.000000006D111000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: virtual_camera_x86.dll.pdb source: virtual_camera_x86.dll.18.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb. source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_crypto\ex_data.c source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, MSIA690.tmp.1.dr, MSI2A0D.tmp.1.dr, MSIA621.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_ source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp

Binary contains a suspicious time stamp

Source: VCRUNTIME140.dll.12.dr

Static PE information: 0xE2E02087 [Sun Aug 13 20:26:47 2090 UTC]

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Source: MSVCP140.dll.12.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.12.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.12.dr	Static PE information: section name: _RDATA
Source: Microsoft_Xtools.exe.12.dr	Static PE information: section name: _RDATA
Source: Microsoft_Xtools.exe.12.dr	Static PE information: section name: .vmp0
Source: Microsoft_Xtools.exe.12.dr	Static PE information: section name: .vmp1
Source: SimpleSC.dll.18.dr	Static PE information: section name: .didata
Source: ToDesk.exe.18.dr	Static PE information: section name: .rodata
Source: ToDesk.exe.18.dr	Static PE information: section name: _RDATA
Source: zrtc.dll.18.dr	Static PE information: section name: .00cfg
Source: zrtc.dll.18.dr	Static PE information: section name: .nvFatBi
Source: zrtc.dll.18.dr	Static PE information: section name: .nv_fatb
Source: zrtc.dll.18.dr	Static PE information: section name: .retplne
Source: zrtc.dll.18.dr	Static PE information: section name: .rodata
Source: zrtc.dll.18.dr	Static PE information: section name: .voltbl
Source: zrtc.dll.18.dr	Static PE information: section name: .xdata
Source: zrtc.dll.18.dr	Static PE information: section name: IPPCODE
Source: zrtc.dll.18.dr	Static PE information: section name: IPPDATA
Source: zrtc.dll.18.dr	Static PE information: section name: _RDATA
Source: virtual_camera_x64.dll.18.dr	Static PE information: section name: _RDATA
Source: tdIdd.dll.18.dr	Static PE information: section name: _RDATA
Source: TodeskVhid.dll.18.dr	Static PE information: section name: _RDATA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to behavior
Source: C:\Windows\explorer.exe	File created: C:\ProgramData\kernelquick.sys

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA690.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA6B0.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\System.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsNiuniuSkin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\pwand.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8A7.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsSCM.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\MSVCP140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2A0D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\killer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7DE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\zrtc.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\BgWorker.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\vcruntime140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\ToDesk.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE780.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA7BC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\uninst.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsExec.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA621.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\SimpleSC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA78D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\CrashReport.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA6C0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\UnityPlayer.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\pwand.dll

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE780.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7DE.tmp	Jump to dropped file

Creates or modifies windows services

Source: C:\Program Files\ToDesk\ToDesk.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ToDesk_Service

Stores files to the Windows start menu directory

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk\ToDesk.lnk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk\Uninstall ToDesk.lnk	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 5868 base: 7FFF4F43000D value: E9 BB CB EC FF			Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 5868 base: 7FFF4F2FCBC0 value: E9 5A 34 13 00			Jump to behavior

Stores large binary data to the registry

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\AiServer MyData

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

Section loaded: OutputDebugStringW count: 539

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	RDTSC instruction interceptor: First address: 7FF6DA465B86 second address: 7FF6DA422929 instructions: 0x00000000 rdtsc 0x00000002 mov al, dh 0x00000004 jmp 00007F8238BB741Ah 0x00000009 inc ecx 0x0000000a rol eax, 1 0x0000000c dec eax 0x0000000d bswap ebx 0x0000000f dec ebp 0x00000011 inc cx 0x00000013 movsx esi, al 0x00000016 inc ecx 0x00000017 dec eax 0x00000019 dec ebp 0x0000001a add eax, ebx 0x0000001c inc ecx 0x0000001d shl dl, FFFFFFA7h 0x00000020 ror bh, FFFFFF93h 0x00000023 dec eax 0x00000024 mov esi, 00000000h 0x00000029 add dword ptr [eax], eax 0x0000002b add byte ptr [eax], al 0x0000002d inc ecx 0x0000002e rcl dl, cl 0x00000030 dec esp 0x00000031 add eax, esi 0x00000033 mov al, al 0x00000035 dec esp 0x00000036 mov edx, esp 0x00000038 inc eax 0x00000039 or ch, dh 0x0000003b dec eax 0x0000003c sub esp, 00000180h 0x00000042 dec eax 0x00000043 and esp, FFFFFFF0h 0x00000049 adc ebx, esp 0x0000004b dec ecx 0x0000004c mov ebx, eax 0x0000004e rdtsc
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	RDTSC instruction interceptor: First address: 7FF6DA14AEA8 second address: 7FF6DA04EDC6 instructions: 0x00000000 rdtsc 0x00000002 mov al, dh 0x00000004 jmp 00007F8238A138D5h 0x00000009 inc ecx 0x0000000a rol eax, 1 0x0000000c dec eax 0x0000000d bswap ebx 0x0000000f dec ebp 0x00000011 inc cx 0x00000013 movsx esi, al 0x00000016 inc ecx 0x00000017 dec eax 0x00000019 dec ebp 0x0000001a add eax, ebx 0x0000001c inc ecx 0x0000001d shl dl, FFFFFFA7h 0x00000020 ror bh, FFFFFF93h 0x00000023 dec eax 0x00000024 mov esi, 00000000h 0x00000029 add dword ptr [eax], eax 0x0000002b add byte ptr [eax], al 0x0000002d inc ecx 0x0000002e rcl dl, cl 0x00000030 dec esp 0x00000031 add eax, esi 0x00000033 mov al, al 0x00000035 dec esp 0x00000036 mov edx, esp 0x00000038 inc eax 0x00000039 or ch, dh 0x0000003b dec eax 0x0000003c sub esp, 00000180h 0x00000042 dec eax 0x00000043 and esp, FFFFFFF0h 0x00000049 adc ebx, esp 0x0000004b dec ecx 0x0000004c mov ebx, eax 0x0000004e rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Special instruction interceptor: First address: 7FF6DA408F85 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3185
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5923
Source: C:\Program Files\ToDesk\ToDesk.exe	Window / User API: threadDelayed 4079

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA690.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA6B0.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\System.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsNiuniuSkin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\pwand.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsSCM.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2A0D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\killer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE7DE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\BgWorker.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE780.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\uninst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA7BC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsExec.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\SimpleSC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA621.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA78D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\CrashReport.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA6C0.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6944	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2732	Thread sleep time: -91000s >= -30000s
Source: C:\Windows\explorer.exe TID: 1436	Thread sleep time: -31850s >= -30000s
Source: C:\Windows\explorer.exe TID: 2732	Thread sleep time: -5923000s >= -30000s
Source: C:\Program Files\ToDesk\ToDesk.exe TID: 6848	Thread sleep count: 4079 > 30
Source: C:\Program Files\ToDesk\ToDesk.exe TID: 4792	Thread sleep count: 39 > 30

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files\ToDesk\ToDesk.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp FullSizeInformation	Jump to behavior

Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Vol
Source: ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: WebRTC-AllowMACBasedIPv6Network change was observedVMnetStartUpdatingSocket creation failedConnect failed with UpdateNetworksContinuallyNetworkManager detected networks:, active ? , IgnoredWebRTC-UseDifferentiatedCellularCostsNet[:id=Enabled
Source: svchost.exe, 00000007.00000002.2480951619.000002C780475000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 0000000E.00000003.1998697487.0000000008A54000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00lT8
Source: ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductM5HXHL0CC82742-52E4-CC1D-A08F-D3A4823E8F04VMware, Inc.None
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26383000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tga
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000000.00000002.2513968592.000001EB6625E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.2510633848.000001EB6623F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.2486931921.000001EB60C2B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.00000000088B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000q;
Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vHyper-V Da
Source: svchost.exe, 00000007.00000002.2480951619.000002C780465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: svchost.exe, 00000007.00000002.2483350035.000002C78047F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000003.1998697487.00000000089EA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9d2}i
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: netsh.exe, 00000020.00000003.1681229554.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: netsh.exe, 00000023.00000002.1696316811.0000000003700000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000025.00000002.1708914818.00000000035A0000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000027.00000003.1715065076.0000000000531000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000029.00000003.1721617491.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002B.00000003.1726818803.0000000000791000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002B.00000003.1727351278.0000000000794000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002D.00000002.1732550742.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002D.00000003.1731252427.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002F.00000003.1735793969.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000031.00000003.1741482839.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000031.00000002.1742670402.00000000011F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000013.00000002.2466736069.00000000005BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: explorer.exe, 0000000E.00000002.2586897655.00000000089F4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000T
Source: explorer.exe, 0000000E.00000000.1547538044.00000000071FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}W6
Source: svchost.exe, 00000007.00000002.2476731968.000002C78044C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: VMnet
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000nf
Source: ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductM5HXHL0CC82742-52E4-CC1D-A08F-D3A4823E8F04VMware, Inc.Noney*
Source: svchost.exe, 00000007.00000002.2474455248.000002C78042B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUSm32\DriverStore\en-US\usb.inf_locK
Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hear
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: svchost.exe, 00000007.00000002.2468413723.000002C78040B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Gues
Source: ToDesk.exe, 00000033.00000002.1904483843.00000208CF88C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2742-52E4-CC1D-A08F-D3A4823E8F04VMware, Inc.
Source: svchost.exe, 00000007.00000002.2476731968.000002C78044C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000E.00000003.1998697487.00000000089EA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26383000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: VMware Screen Codec / VMware Video

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Handle closed: DEADC0DE

Checks if the current process is being debugged

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Process queried: DebugObjectHandle			Jump to behavior

Enables debug privileges

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process token adjusted: Debug
Source: C:\Program Files\ToDesk\ToDesk.exe	Process token adjusted: Debug
Source: C:\Program Files\ToDesk\ToDesk.exe	Process token adjusted: Debug
Source: C:\Program Files\ToDesk\ToDesk.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 47.238.100.22 4433

Allocates memory in foreign processes

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory allocated: C:\Windows\explorer.exe base: 2CF0000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory allocated: C:\Windows\explorer.exe base: 8050000 protect: page read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	NtMapViewOfSection: Indirect: 0x1EADE87D696			Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	NtMapViewOfSection: Indirect: 0x1EADE87DBD3			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 4380 base: 2CF0000 value: E9	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 4380 base: 8050000 value: 00	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 5792 base: 420000 value: E8	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\explorer.exe

Thread register set: target process: 5792

Jump to behavior

Performs DNS TXT record lookups

Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com
Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com
Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com
Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\explorer.exe

Thread register set: 5792 C1A6E00

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: C:\Windows\explorer.exe base: 2CF0000			Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: C:\Windows\explorer.exe base: 8050000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Service"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Session"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=out program="C:\Program Files\ToDesk\ToDesk.exe" action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allow	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service

Source: explorer.exe, 0000000E.00000000.1556114866.00000000089C9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2534062078.0000000004550000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.1998697487.0000000008A15000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.2507661761.0000000001114000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545792498.0000000001111000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545476893.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Progman
Source: explorer.exe, 0000000E.00000002.2507661761.0000000001114000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545792498.0000000001111000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: bProgram Manager]
Source: explorer.exe, 0000000E.00000002.2507661761.0000000001114000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545792498.0000000001111000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: ../../third_party/webrtc/modules/desktop_capture/win/window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_ProgmanButton

Queries the installation date of Windows

Source: C:\Program Files\ToDesk\ToDesk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\zrtcserviceewwszqlz_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation

Source: C:\Program Files\ToDesk\ToDesk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Modifies the windows firewall

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"

Uses netsh to modify the Windows network and firewall settings

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000008.00000002.2486089087.0000025ACAB02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.2486089087.0000025ACAB02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5792, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5792, type: MEMORYSTR

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
43.135.63.118	authds.todesk.com	Japan	4249	LILLY-ASUS	false
101.42.127.254	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
119.45.2.35	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
47.238.100.22	unknown	United States	20115	CHARTER-20115US	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
authds.todesk.com	43.135.63.118	true
g8e1l8qd.ovslegodl.sched.ovscdns.com	43.175.152.66	true
todeskcdnspeed.todesk.com	unknown	unknown
authds.kylinlot.com	unknown	unknown

Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_96b3629b-7

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\CrashReport.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\ToDesk.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\uninst.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\zrtc.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\tdgamepad.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamePad.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdidd.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\todeskvhid.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.inf	Jump to behavior
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\config.ini
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\zrtcserviceewwszqlz_2025_02_21.log

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\gitlab\vhid\driver\umdf2\x64\Release\TodeskVhid.pdb source: ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000041E000.00000004.00000001.01000000.0000000C.sdmp, ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000040A000.00000004.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\stdDllWrapper.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, 4cdca3.rbs.2.dr, MSIE927.tmp.2.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1602453751.00007FFF415B2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: zrtc.dll.pdb source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26671000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: E:\NiuniuCapture\niuniu_src\nsNiuniuSkin\plugin\nsNiuniuDUI.pdb source: ToDesk_Setup.exe, 00000012.00000002.1883171743.000000006D111000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: virtual_camera_x86.dll.pdb source: virtual_camera_x86.dll.18.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb. source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_crypto\ex_data.c source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, MSIA690.tmp.1.dr, MSI2A0D.tmp.1.dr, MSIA621.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_ source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\explorer.exe	File opened: z:
Source: C:\Windows\explorer.exe	File opened: x:
Source: C:\Windows\explorer.exe	File opened: v:
Source: C:\Windows\explorer.exe	File opened: t:
Source: C:\Windows\explorer.exe	File opened: r:
Source: C:\Windows\explorer.exe	File opened: p:
Source: C:\Windows\explorer.exe	File opened: n:
Source: C:\Windows\explorer.exe	File opened: l:
Source: C:\Windows\explorer.exe	File opened: j:
Source: C:\Windows\explorer.exe	File opened: h:
Source: C:\Windows\explorer.exe	File opened: f:
Source: C:\Windows\System32\svchost.exe	File opened: d:	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: b:
Source: C:\Windows\explorer.exe	File opened: y:
Source: C:\Windows\explorer.exe	File opened: w:
Source: C:\Windows\explorer.exe	File opened: u:
Source: C:\Windows\explorer.exe	File opened: s:
Source: C:\Windows\explorer.exe	File opened: q:
Source: C:\Windows\explorer.exe	File opened: o:
Source: C:\Windows\explorer.exe	File opened: m:
Source: C:\Windows\explorer.exe	File opened: k:
Source: C:\Windows\explorer.exe	File opened: i:
Source: C:\Windows\explorer.exe	File opened: g:
Source: C:\Windows\explorer.exe	File opened: e:
Source: C:\Program Files\ToDesk\ToDesk.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: [:

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052875 - Severity 1 - ET MALWARE Winos4.0 Framework CnC Login Message : 192.168.2.16:49909 -> 47.238.100.22:4433

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 47.238.100.22 4433

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.16:49909 -> 47.238.100.22:4433

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CHARTER-20115US CHARTER-20115US

Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22

Source: global traffic	DNS traffic detected: DNS query: authds.todesk.com
Source: global traffic	DNS traffic detected: DNS query: authds.kylinlot.com
Source: global traffic	DNS traffic detected: DNS query: todeskcdnspeed.todesk.com

Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://.jpg
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http:///dump.php?dumpserver.compresstypelognamedatetimedate
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://EVSecure-crl.geotrust.com/GeoTrustPCA.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://EVSecure-ocsp.geotrust.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia.startssl.com/certs/ca.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia.startssl.com/certs/ca.crt02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia1.wosign.com/ca1-class3-server.cer0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia1.wosign.com/ca1g2-server3.cer0
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://apibuss.RemoteTemporaryPasswordRemoteReplicationIDUpdateTempPassCustomChangePassword:x
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.000000000724F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.entrust.net/g2ca.crl0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.entrust.net/rootca1.crl0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/GeoTrustPCA-G3.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0F
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0N
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.globalsign.com/root.crl0V
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0=
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.startssl.com/sfsca.crl0f
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA-G3.crl0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: svchost.exe, 00000000.00000002.2507661800.000001EB66200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.ws.symantec.com/universal-root.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.000000000724F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, virtual_camera_x86.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.00000000088EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2060237428.00000000088EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.000000000724F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crls1.wosign.com/ca1.crl0m
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crls1.wosign.com/ca1.crl0q
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe, 00000033.00000003.1895351771.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1893771860.00000208CF80C000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1903608888.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1893565314.000001B611B45000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2246294725.00000271BDF05000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243853530.000001ED0F0E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dumpserver.todesk.com/dump.php
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://dumpserver.todesk.com/dump.phpSymInitialize
Source: svchost.exe, 00000000.00000003.1203206451.000001EB66130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://faac.sourceforge.net/)
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcb.com/GeoTrustPCA-G3.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0.
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcd.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcd.com0L
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g1.symcb.com/GeoTrustPCA.crl0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g1.symcb.com/crls/gtglobal.crl0/
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g2.symcb.com0G
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g2.symcb.com0L
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: ToDesk_Setup.exe, 0000000F.00000000.1551522906.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000040A000.00000004.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF2609C000.00000002.00000001.01000000.00000018.sdmp, virtual_camera_x86.dll.18.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.digicert.com0M
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.00000000071CD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.entrust.net00
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.entrust.net02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.geotrust.com0L
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr10
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.godaddy.com/02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0J
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/08
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.startssl.com/ca0-
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.startssl.com/ca00
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.startssl.com00
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.thawte.com0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.ws.symantec.com0k
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp1.wosign.com/ca104
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp1.wosign.com/ca108
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://pca-g3-ocsp.geotrust.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s../../net/third_party/quiche/src/quic/core/crypto/certificate_view.cc
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s../../net/third_party/quiche/src/quic/core/crypto/certificate_view.ccInvalid
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s2.symcb.com0k
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 0000000E.00000000.1545905770.00000000025F0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://subca.ocsp-certum.com0.
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t.symcb.com/ThawtePCA.crl0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t.symcd.com01
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0/
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t2.symcb.com0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t2.symcb.com0A
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B16000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2246294725.00000271BDF05000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2242807873.000001ED0F0AB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243853530.000001ED0F0E3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0AA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0A9000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/&
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/&oq
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/2
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/4
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/8
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/AT;.CMD;.VBS;.VBE;.JS;7
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/F
Source: ToDesk.exe, 00000033.00000003.1895351771.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1893771860.00000208CF80C000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1903608888.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/G
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/In
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/J
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/N
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/OCESSORS=4
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/OGONSERVER=9
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/P
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/R
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/SCPROCESSO
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/System32
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/TPath=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/Windows
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/amW6432=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/b
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/https://uc.todesk.com/https://user.todesk.com/upload.php?token=tode
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/ily
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/ineIntelPR
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/les;C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/m
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/m32
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/mW6432=C:
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/o
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/odules;C:
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/p
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/p_
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/rh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/s
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/t3
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/vh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/ws
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/~h
Source: svchost.exe, 00000005.00000002.1368418659.000001CA68213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.entrust.net/CPS0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.entrust.net/rpa0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps06
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0A
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.keynectis.com/PC07
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.keynectis.com/PC08
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/policy0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/sfsca.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/sfsca.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/rpa0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/rpa0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF260B7000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-timehttp://www.ietf.org/id/draft-holmer-rmcat-
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-timehttp://www.webrtc.org/experiments/rtp-hdre
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02http://www.webrtc.org/experiments/r
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllNULinvalid
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.wosign.com/policy/0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppche_16.dbK
Source: explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2008974722.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS0
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2008974722.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS2F
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2008974722.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSdf
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008710000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.000000000875E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000E.00000000.1545476893.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1546224158.0000000002F60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2520908782.0000000002F7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000E.00000000.1556114866.00000000087E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.0000000008821000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=BD3E37D8C4964A928E655AAA177D65C1&timeOut=5000&oc
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2520908782.0000000002F85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1546224158.0000000002F60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: explorer.exe, 0000000E.00000000.1556114866.00000000087E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.0000000008802000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/WindyV2.svg
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://becausemomsays.com/she-wanted-to-keep-her-deceased-husbands-ring-so-she-selfishly-denied-her
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0vJ
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0vJ-dark
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK0V
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK0V-dark
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://certs.starfieldtech.com/repository/0
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cookpolitical.com/2020-national-popular-vote-tracker
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF261FA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/1053756
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF261FA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/1053756ICE
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF261FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/778929.
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF261FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/778929.%016llX%016llXKernel32.dll../../base/threading/platform_thread_win.ccJoin((
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2242807873.000001ED0F0AB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0AA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0A9000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download(
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download)
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download1
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download7v
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download8
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download86)=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download:
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadC:
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadEB
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadNh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadPATHEX
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadProgramA
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadROCESSOR_IDENT3
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadV
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadZh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadf
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadgram
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadj
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadm
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadneIntelPROCES/
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadngComm
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadogramDa
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadram
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadstem32
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadstemDri
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadtem32
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadtions
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadverData=C:
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadws
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadwsTEMP
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadystem32
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadz5
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download~
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2238241659.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243465242.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0A3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console$
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console(
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console.
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console.xS
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console0
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console0Ds
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console5
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console5x
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console9
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console:Di
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console;C:
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleA
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleC:
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleE;.J
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleF
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleG
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleH
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleP
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleRS=4
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleW7
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleY
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleZ
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleali
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleb
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolec
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoledy
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolee
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolei
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolek
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleky
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolele
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD331000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleo
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolep
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleq
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleq$
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoles
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleuy
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolew
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolex
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console~
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com:
Source: ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.comkF
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: svchost.exe, 00000005.00000002.1368925789.000001CA68259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366238872.000001CA6826E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366943277.000001CA68243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1369090764.000001CA68272000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366875764.000001CA6825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000003.1366292360.000001CA68267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.1366238872.000001CA6826E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1369064034.000001CA68265000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366875764.000001CA6825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.1368584214.000001CA6822B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366292360.000001CA68267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1368767624.000001CA6823F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1369064034.000001CA68265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000002.1368767624.000001CA6823F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.todesk.com/windowsDownloadAppFilekernel32::IsWow64Process2(ps
Source: svchost.exe, 00000005.00000003.1367150084.000001CA68230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000002.1368767624.000001CA6823F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366943277.000001CA68243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.1367150084.000001CA68230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.1368584214.000001CA6822B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366292360.000001CA68267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2040398375.000000000BFDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comA
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://financebuzz.com/top-signs-of-financial-fitness?utm_source=msn&utm_medium=feed&synd_slide=1&s
Source: svchost.exe, 00000000.00000003.1203206451.000001EB661A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000000.00000003.1203206451.000001EB66192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26109000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/6293
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA10WNpO.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bAqmF.img
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hIktm.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hMa61.img
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42cl9.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://news.gallup.com/poll/247016/conservatives-greatly-outnumber-liberals-states.aspx
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2040398375.000000000BFDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comsoft.A
Source: explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2050416734.000000000C06F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe, 00000033.00000003.1893771860.00000208CF830000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1898912108.00000208CF831000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1893847062.000001B611B4F000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2223054731.00000271BDF2E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDF2A000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2222871379.000001ED0F101000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st.todesk.com
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st.todesk.comPJ:
Source: ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1893847062.000001B611B4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st.todesk.comoG
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://stacker.com/
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://stacker.com/politics/states-most-conservatives-0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26374000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://streams.videolan.org/upload/
Source: svchost.exe, 00000005.00000003.1366943277.000001CA68243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000003.1366926488.000001CA6823D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366926488.000001CA6823D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366910703.000001CA6824A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366432207.000001CA6825D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000002.1368584214.000001CA6822B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000002.1368925789.000001CA68259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2238241659.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243465242.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0A3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/1y
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/;y
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/A
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Cy
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Dx3
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/E
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/H
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/K
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/M
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Qy
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/T
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Wy
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ation
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ay
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/d
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/erponse
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/esponseo
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/est
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/f
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/j
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/l
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/o
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ol
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/on
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=100&orderType=0
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=100&orderType=0WhiteBoardUpdateToastinputTextinputT
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=2&orderType=0
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=2&orderType=0MatchScreenModifyMarkEndRemoteControlC
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ormation
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ormationry
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/p
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/pnnse
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/rol
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/t
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/u
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/y
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.comamession
Source: ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.comhF
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.comhttps://daas.todesk.comipc__pipe134.175.254.188capture__Client_9BEF579D5A8F_Ses
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.comj
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://update.todesk.com/tdpdfprinter.exe
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://update.todesk.com/tdpdfprinter.exetdprinter.tmp.tmpwbab
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B16000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2246294725.00000271BDF05000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2242807873.000001ED0F0AB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243853530.000001ED0F0E3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0AA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0A9000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=$
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=.
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=0
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=6
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=:
Source: ToDesk.exe, 00000033.00000003.1893771860.00000208CF80C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=?
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=B
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=CESSORS=4OS=WK
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=COMPUT
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Data=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=ESSOR_I
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=FILE=user-PCUWv
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=FilesC
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Jh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Program
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=S;.VBE;
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=System
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=USERNAs
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Z
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=_REVISI
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=amily
Source: ToDesk.exe, 00000033.00000002.1902486191.00000208CF7ED000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=c
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=e
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=ePath=C:
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=fh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=indows
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=indowsP
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=lesCOMPUTERNAW
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=n
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=onProgramFiles
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=profilek
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=r
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=rogram
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=v
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=z
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=~5
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243465242.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0A3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com$
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com$x
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com)
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com0
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com1
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com5
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com8
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comA
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comC:
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comE
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comMy
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comT
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comW
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comWind
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comam
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comaxQ
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD331000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.come
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comezxD
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comn
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comnseLI-P
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comows
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comr
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.coms
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comtionny
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wigreports.com/about/
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008AA9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/gr.exel
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2040398375.000000000BFDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com8E
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.270towin.com/
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.alphassl.com/repository/03
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.financebuzz.com/clever-debt-payoff-55mp?utm_source=msn&utm_medium=feed&synd_slide=1&synd
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.forbes.com/sites/elanagross/2020/10/28/trump-administration-uses-philadelphia-protests-t
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.geotrust.com/resources/cps04
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.geotrust.com/resources/cps06
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.geotrust.com/resources/repository0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/autos/buying/if-your-old-car-has-any-of-these-16-problems-consider-buying-
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/medical/mayo-clinic-minute-who-benefits-from-taking-statins/ar-AA1h
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/medical/scientists-reveal-new-findings-about-older-adults-who-take-
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/15-attributes-of-truly-good-men/ss-AA1hJKQY
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/there-are-8-types-of-intelligence-which-one-is-yo
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/if-any-of-these-11-things-describes-you-you-ve-climb
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/george-santos-former-campaign-treasurer-pleads-guilty-to-fed
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/the-state-with-the-most-liberals-isn-t-userfornia-or-new-yor
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-asks-for-jan-6-dismissal-because-coup-attempt-was-part
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/the-most-stunning-space-images-captured-in-2023-so-far/ar-
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/russian-official-proposes-invading-five-nato-countries/ar-AA1hJ
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/the-nobel-peace-prize-will-be-announced-in-oslo-the-laureate-is
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps07
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.theatlantic.com/politics/archive/2014/02/the-origin-of-liberalism/283780/
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/download.htmlToDesk
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/download.htmlopen
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/licence.htmleditLicenselicence_
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/licence.htmlopen

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443

Creates a DirectInput object (often for capturing keystrokes)

Source: explorer.exe, 00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_92ea00f5-4

Installs a global mouse hook

Source: C:\Windows\explorer.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Installs a raw input device (often for capturing keystrokes)

Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp

Binary or memory string: GetRawInputData

memstr_85bbaee5-4

Drops certificate files (DER)

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\tdgamepad.cat	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\vhid\todeskvhid.cat	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdscreen\tdidd.cat	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000E.00000003.2019014454.000000000C199000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000D.00000002.1586294361.000001EADCDE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000013.00000002.2460978525.0000000000420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000D.00000002.1587648854.000001EADE820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Detected VMProtect packer

Source: Microsoft_Xtools.exe.12.dr

Static PE information: .vmp0 and .vmp1 section names

Drops password protected ZIP file

Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted

Creates driver files

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

File created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4cdca2.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE780.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7DE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{D35AFE46-73B4-4441-81DF-EDEE2029BCB9}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE927.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8A7.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE780.tmp

Jump to behavior

PE file contains more sections than normal

Source: zrtc.dll.18.dr

Static PE information: Number of sections : 18 > 10

Sample file is different than original file name gathered from version info

Source: T0pdaslk-guangwang-winelkxcac-64.msi	Binary or memory string: OriginalFilenamestdDllWrapper.dllF vs T0pdaslk-guangwang-winelkxcac-64.msi
Source: T0pdaslk-guangwang-winelkxcac-64.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs T0pdaslk-guangwang-winelkxcac-64.msi

Yara signature match

Source: 0000000E.00000003.2019014454.000000000C199000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000D.00000002.1586294361.000001EADCDE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000013.00000002.2460978525.0000000000420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000D.00000002.1587648854.000001EADE820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: BgWorker.dll.18.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nsNiuniuSkin.dll.18.dr

Static PE information: Section: UPX1 ZLIB complexity 0.9916166417738971

Source: T0pdaslk-guangwang-winelkxcac-64.msi

Binary or memory string: h.slnu

Source: classification engine

Classification label: mal100.troj.evad.winMSI@79/82@6/5

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ToDesk_Setup

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3908:120:WilError_03
Source: C:\Program Files\ToDesk\ToDesk.exe	Mutant created: \BaseNamedObjects\ToDesk_Service_9BEF579D5A8F
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_03
Source: C:\Program Files\ToDesk\ToDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Program Files\ToDesk\ToDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\ToDesk_Client_9BEF579D5A8F
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIA621.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS

Jump to behavior

Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AdInfoMsg(autoid INTEGER PRIMARY KEY AUTOINCREMENT,adid INTEGER NOT NULL,platform CHAR(256),position CHAR(256),imgurl CHAR(256),refurl CHAR(256),title CHAR(256),tip CHAR(256),begin CHAR(256),end CHAR(256),tipPriority INTEGER NOT NULL,start_timestamp INTEGER NOT NULL,expire_timestamp INTEGER NOT NULL,read INTEGER NOT NULL,push_timestamp INTEGER NOT NULL,adinfoid CHAR(256),userid CHAR(256) );
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO AdInfoMsg VALUES(NULL, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d, %d, '%s','%s');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS SysMsg(autoid INTEGER PRIMARY KEY AUTOINCREMENT,msgid INTEGER NOT NULL,type INTEGER NOT NULL,push_timestamp INTEGER NOT NULL,title CHAR(256),content CHAR(256),refurl CHAR(512),read INTEGER NOT NULL,userid CHAR(256) );
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO SysMsg VALUES(NULL, %d, %d, %d, '%s', '%s', '%s', %d, '%s');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO AdInfoMsg VALUES(NULL, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d, %d,'%s','%s');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\T0pdaslk-guangwang-winelkxcac-64.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 897DC43AA7908FBDF146DB4280A4B33E C
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1D978FC4728A444D05DF5DFC6F0CB94A
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding A42AD45622494486CAE464114BFDCC7F
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe "C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\\Microsoft_Xtools.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\windows\explorer.exe
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Service"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Session"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=out program="C:\Program Files\ToDesk\ToDesk.exe" action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"
Source: unknown	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --runservice
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\ToDesk\ToDesk.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"
Source: C:\Program Files\ToDesk\ToDesk.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --runadmin=true
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 897DC43AA7908FBDF146DB4280A4B33E C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1D978FC4728A444D05DF5DFC6F0CB94A	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding A42AD45622494486CAE464114BFDCC7F	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe "C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\\Microsoft_Xtools.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Service"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Session"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=out program="C:\Program Files\ToDesk\ToDesk.exe" action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Program Files\ToDesk\ToDesk.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: unityplayer.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: mscoree.dll
Source: C:\Windows\explorer.exe	Section loaded: winmm.dll
Source: C:\Windows\explorer.exe	Section loaded: dinput8.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: devenum.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: msdmo.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: ToDesk.lnk.18.dr	LNK file: ..\..\..\Program Files\ToDesk\ToDesk.exe
Source: ToDesk.lnk0.18.dr	LNK file: ..\..\..\..\..\..\Program Files\ToDesk\ToDesk.exe
Source: Uninstall ToDesk.lnk.18.dr	LNK file: ..\..\..\..\..\..\Program Files\ToDesk\uninst.exe

Source: C:\Program Files\ToDesk\ToDesk.exe

File written: C:\Program Files\ToDesk\config.ini

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\CrashReport.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\ToDesk.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\uninst.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\zrtc.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\tdgamepad.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamePad.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdidd.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\todeskvhid.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.inf	Jump to behavior
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\config.ini
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\zrtcserviceewwszqlz_2025_02_21.log

Source: T0pdaslk-guangwang-winelkxcac-64.msi

Static file information: File size 95763456 > 1048576

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\gitlab\vhid\driver\umdf2\x64\Release\TodeskVhid.pdb source: ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000041E000.00000004.00000001.01000000.0000000C.sdmp, ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000040A000.00000004.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\stdDllWrapper.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, 4cdca3.rbs.2.dr, MSIE927.tmp.2.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1602453751.00007FFF415B2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: zrtc.dll.pdb source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26671000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: E:\NiuniuCapture\niuniu_src\nsNiuniuSkin\plugin\nsNiuniuDUI.pdb source: ToDesk_Setup.exe, 00000012.00000002.1883171743.000000006D111000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: virtual_camera_x86.dll.pdb source: virtual_camera_x86.dll.18.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb. source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_crypto\ex_data.c source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, MSIA690.tmp.1.dr, MSI2A0D.tmp.1.dr, MSIA621.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_ source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp

Binary contains a suspicious time stamp

Source: VCRUNTIME140.dll.12.dr

Static PE information: 0xE2E02087 [Sun Aug 13 20:26:47 2090 UTC]

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Source: MSVCP140.dll.12.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.12.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.12.dr	Static PE information: section name: _RDATA
Source: Microsoft_Xtools.exe.12.dr	Static PE information: section name: _RDATA
Source: Microsoft_Xtools.exe.12.dr	Static PE information: section name: .vmp0
Source: Microsoft_Xtools.exe.12.dr	Static PE information: section name: .vmp1
Source: SimpleSC.dll.18.dr	Static PE information: section name: .didata
Source: ToDesk.exe.18.dr	Static PE information: section name: .rodata
Source: ToDesk.exe.18.dr	Static PE information: section name: _RDATA
Source: zrtc.dll.18.dr	Static PE information: section name: .00cfg
Source: zrtc.dll.18.dr	Static PE information: section name: .nvFatBi
Source: zrtc.dll.18.dr	Static PE information: section name: .nv_fatb
Source: zrtc.dll.18.dr	Static PE information: section name: .retplne
Source: zrtc.dll.18.dr	Static PE information: section name: .rodata
Source: zrtc.dll.18.dr	Static PE information: section name: .voltbl
Source: zrtc.dll.18.dr	Static PE information: section name: .xdata
Source: zrtc.dll.18.dr	Static PE information: section name: IPPCODE
Source: zrtc.dll.18.dr	Static PE information: section name: IPPDATA
Source: zrtc.dll.18.dr	Static PE information: section name: _RDATA
Source: virtual_camera_x64.dll.18.dr	Static PE information: section name: _RDATA
Source: tdIdd.dll.18.dr	Static PE information: section name: _RDATA
Source: TodeskVhid.dll.18.dr	Static PE information: section name: _RDATA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to behavior
Source: C:\Windows\explorer.exe	File created: C:\ProgramData\kernelquick.sys

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA690.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA6B0.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\System.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsNiuniuSkin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\pwand.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8A7.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsSCM.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\MSVCP140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2A0D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\killer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7DE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\zrtc.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\BgWorker.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\vcruntime140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\ToDesk.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE780.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA7BC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\uninst.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsExec.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA621.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\SimpleSC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA78D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\CrashReport.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA6C0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\UnityPlayer.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\pwand.dll

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE780.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7DE.tmp	Jump to dropped file

Creates or modifies windows services

Source: C:\Program Files\ToDesk\ToDesk.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ToDesk_Service

Stores files to the Windows start menu directory

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk\ToDesk.lnk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk\Uninstall ToDesk.lnk	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 5868 base: 7FFF4F43000D value: E9 BB CB EC FF			Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 5868 base: 7FFF4F2FCBC0 value: E9 5A 34 13 00			Jump to behavior

Stores large binary data to the registry

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\AiServer MyData

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

Section loaded: OutputDebugStringW count: 539

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	RDTSC instruction interceptor: First address: 7FF6DA465B86 second address: 7FF6DA422929 instructions: 0x00000000 rdtsc 0x00000002 mov al, dh 0x00000004 jmp 00007F8238BB741Ah 0x00000009 inc ecx 0x0000000a rol eax, 1 0x0000000c dec eax 0x0000000d bswap ebx 0x0000000f dec ebp 0x00000011 inc cx 0x00000013 movsx esi, al 0x00000016 inc ecx 0x00000017 dec eax 0x00000019 dec ebp 0x0000001a add eax, ebx 0x0000001c inc ecx 0x0000001d shl dl, FFFFFFA7h 0x00000020 ror bh, FFFFFF93h 0x00000023 dec eax 0x00000024 mov esi, 00000000h 0x00000029 add dword ptr [eax], eax 0x0000002b add byte ptr [eax], al 0x0000002d inc ecx 0x0000002e rcl dl, cl 0x00000030 dec esp 0x00000031 add eax, esi 0x00000033 mov al, al 0x00000035 dec esp 0x00000036 mov edx, esp 0x00000038 inc eax 0x00000039 or ch, dh 0x0000003b dec eax 0x0000003c sub esp, 00000180h 0x00000042 dec eax 0x00000043 and esp, FFFFFFF0h 0x00000049 adc ebx, esp 0x0000004b dec ecx 0x0000004c mov ebx, eax 0x0000004e rdtsc
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	RDTSC instruction interceptor: First address: 7FF6DA14AEA8 second address: 7FF6DA04EDC6 instructions: 0x00000000 rdtsc 0x00000002 mov al, dh 0x00000004 jmp 00007F8238A138D5h 0x00000009 inc ecx 0x0000000a rol eax, 1 0x0000000c dec eax 0x0000000d bswap ebx 0x0000000f dec ebp 0x00000011 inc cx 0x00000013 movsx esi, al 0x00000016 inc ecx 0x00000017 dec eax 0x00000019 dec ebp 0x0000001a add eax, ebx 0x0000001c inc ecx 0x0000001d shl dl, FFFFFFA7h 0x00000020 ror bh, FFFFFF93h 0x00000023 dec eax 0x00000024 mov esi, 00000000h 0x00000029 add dword ptr [eax], eax 0x0000002b add byte ptr [eax], al 0x0000002d inc ecx 0x0000002e rcl dl, cl 0x00000030 dec esp 0x00000031 add eax, esi 0x00000033 mov al, al 0x00000035 dec esp 0x00000036 mov edx, esp 0x00000038 inc eax 0x00000039 or ch, dh 0x0000003b dec eax 0x0000003c sub esp, 00000180h 0x00000042 dec eax 0x00000043 and esp, FFFFFFF0h 0x00000049 adc ebx, esp 0x0000004b dec ecx 0x0000004c mov ebx, eax 0x0000004e rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Special instruction interceptor: First address: 7FF6DA408F85 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3185
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5923
Source: C:\Program Files\ToDesk\ToDesk.exe	Window / User API: threadDelayed 4079

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA690.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA6B0.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\System.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsNiuniuSkin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\pwand.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsSCM.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2A0D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\killer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE7DE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\BgWorker.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE780.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\uninst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA7BC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsExec.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\SimpleSC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA621.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA78D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\CrashReport.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA6C0.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6944	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2732	Thread sleep time: -91000s >= -30000s
Source: C:\Windows\explorer.exe TID: 1436	Thread sleep time: -31850s >= -30000s
Source: C:\Windows\explorer.exe TID: 2732	Thread sleep time: -5923000s >= -30000s
Source: C:\Program Files\ToDesk\ToDesk.exe TID: 6848	Thread sleep count: 4079 > 30
Source: C:\Program Files\ToDesk\ToDesk.exe TID: 4792	Thread sleep count: 39 > 30

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files\ToDesk\ToDesk.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp FullSizeInformation	Jump to behavior

Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Vol
Source: ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: WebRTC-AllowMACBasedIPv6Network change was observedVMnetStartUpdatingSocket creation failedConnect failed with UpdateNetworksContinuallyNetworkManager detected networks:, active ? , IgnoredWebRTC-UseDifferentiatedCellularCostsNet[:id=Enabled
Source: svchost.exe, 00000007.00000002.2480951619.000002C780475000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 0000000E.00000003.1998697487.0000000008A54000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00lT8
Source: ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductM5HXHL0CC82742-52E4-CC1D-A08F-D3A4823E8F04VMware, Inc.None
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26383000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tga
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000000.00000002.2513968592.000001EB6625E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.2510633848.000001EB6623F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.2486931921.000001EB60C2B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.00000000088B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000q;
Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vHyper-V Da
Source: svchost.exe, 00000007.00000002.2480951619.000002C780465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: svchost.exe, 00000007.00000002.2483350035.000002C78047F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000003.1998697487.00000000089EA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9d2}i
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: netsh.exe, 00000020.00000003.1681229554.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: netsh.exe, 00000023.00000002.1696316811.0000000003700000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000025.00000002.1708914818.00000000035A0000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000027.00000003.1715065076.0000000000531000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000029.00000003.1721617491.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002B.00000003.1726818803.0000000000791000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002B.00000003.1727351278.0000000000794000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002D.00000002.1732550742.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002D.00000003.1731252427.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002F.00000003.1735793969.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000031.00000003.1741482839.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000031.00000002.1742670402.00000000011F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000013.00000002.2466736069.00000000005BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: explorer.exe, 0000000E.00000002.2586897655.00000000089F4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000T
Source: explorer.exe, 0000000E.00000000.1547538044.00000000071FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}W6
Source: svchost.exe, 00000007.00000002.2476731968.000002C78044C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: VMnet
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000nf
Source: ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductM5HXHL0CC82742-52E4-CC1D-A08F-D3A4823E8F04VMware, Inc.Noney*
Source: svchost.exe, 00000007.00000002.2474455248.000002C78042B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUSm32\DriverStore\en-US\usb.inf_locK
Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hear
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: svchost.exe, 00000007.00000002.2468413723.000002C78040B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Gues
Source: ToDesk.exe, 00000033.00000002.1904483843.00000208CF88C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2742-52E4-CC1D-A08F-D3A4823E8F04VMware, Inc.
Source: svchost.exe, 00000007.00000002.2476731968.000002C78044C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000E.00000003.1998697487.00000000089EA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26383000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: VMware Screen Codec / VMware Video

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Handle closed: DEADC0DE

Checks if the current process is being debugged

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Process queried: DebugObjectHandle			Jump to behavior

Enables debug privileges

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process token adjusted: Debug
Source: C:\Program Files\ToDesk\ToDesk.exe	Process token adjusted: Debug
Source: C:\Program Files\ToDesk\ToDesk.exe	Process token adjusted: Debug
Source: C:\Program Files\ToDesk\ToDesk.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 47.238.100.22 4433

Allocates memory in foreign processes

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory allocated: C:\Windows\explorer.exe base: 2CF0000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory allocated: C:\Windows\explorer.exe base: 8050000 protect: page read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	NtMapViewOfSection: Indirect: 0x1EADE87D696			Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	NtMapViewOfSection: Indirect: 0x1EADE87DBD3			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 4380 base: 2CF0000 value: E9	Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 4380 base: 8050000 value: 00	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 5792 base: 420000 value: E8	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\explorer.exe

Thread register set: target process: 5792

Jump to behavior

Performs DNS TXT record lookups

Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com
Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com
Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com
Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\explorer.exe

Thread register set: 5792 C1A6E00

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: C:\Windows\explorer.exe base: 2CF0000			Jump to behavior
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: C:\Windows\explorer.exe base: 8050000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Service"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Session"	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=out program="C:\Program Files\ToDesk\ToDesk.exe" action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allow	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service

Source: explorer.exe, 0000000E.00000000.1556114866.00000000089C9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2534062078.0000000004550000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.1998697487.0000000008A15000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.2507661761.0000000001114000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545792498.0000000001111000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545476893.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Progman
Source: explorer.exe, 0000000E.00000002.2507661761.0000000001114000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545792498.0000000001111000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: bProgram Manager]
Source: explorer.exe, 0000000E.00000002.2507661761.0000000001114000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545792498.0000000001111000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: ../../third_party/webrtc/modules/desktop_capture/win/window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_ProgmanButton

Queries the installation date of Windows

Source: C:\Program Files\ToDesk\ToDesk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\zrtcserviceewwszqlz_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation

Source: C:\Program Files\ToDesk\ToDesk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Modifies the windows firewall

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"

Uses netsh to modify the Windows network and firewall settings

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000008.00000002.2486089087.0000025ACAB02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.2486089087.0000025ACAB02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5792, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5792, type: MEMORYSTR

Windows Analysis Report
T0pdaslk-guangwang-winelkxcac-64.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

ID:	1621377
Product:	CloudBasic
Start time:	21:12:19
Start date:	21.02.2025
Sample:	T0pdaslk-guangwang-winelkxcac-64.msi
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	09fc3a5af26388a6909a2b0643ad644e
SHA1:	83423788bb21f3a47e02f89d3e604bf135f42080
SHA256:	0c8017e92fd56f96da5b8f01c219d4a90f80da94b360c59ce81618c9df55c88b
Filetype:	Windows SDK Setup Transform Script (63028/2) 47.91%

Windows Analysis Report T0pdaslk-guangwang-winelkxcac-64.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
T0pdaslk-guangwang-winelkxcac-64.msi