Edit tour

Windows Analysis Report
T0pdaslk-guangwang-winelkxcac-64.msi

Overview

General Information

Sample name:	T0pdaslk-guangwang-winelkxcac-64.msi
Analysis ID:	1621377
MD5:	09fc3a5af26388a6909a2b0643ad644e
SHA1:	83423788bb21f3a47e02f89d3e604bf135f42080
SHA256:	0c8017e92fd56f96da5b8f01c219d4a90f80da94b360c59ce81618c9df55c88b
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected GhostRat

Allocates memory in foreign processes

Changes security center settings (notifications, updates, antivirus, firewall)

Detected VMProtect packer

Drops password protected ZIP file

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Modifies the windows firewall

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Performs DNS TXT record lookups

Sample is not signed and drops a device driver

Sets debug register (to hijack the execution of another thread)

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect debuggers (CloseHandle check)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Stores large binary data to the registry

Yara signature match

Classification

Process Tree

System is w10x64_ra

svchost.exe (PID: 2708 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

msiexec.exe (PID: 6968 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\T0pdaslk-guangwang-winelkxcac-64.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7016 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6868 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 897DC43AA7908FBDF146DB4280A4B33E C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6508 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 1D978FC4728A444D05DF5DFC6F0CB94A MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7088 cmdline: C:\Windows\System32\MsiExec.exe -Embedding A42AD45622494486CAE464114BFDCC7F MD5: E5DA170027542E25EDE42FC54C929077)

Microsoft_Xtools.exe (PID: 5868 cmdline: "C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\\Microsoft_Xtools.exe" MD5: 9980BA3F5506EF42212CF1D44C66757D)

explorer.exe (PID: 4380 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

ToDesk_Setup.exe (PID: 4108 cmdline: "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe" MD5: C352B397CC1BF792AE368F562AAA19BE)

ToDesk_Setup.exe (PID: 2460 cmdline: "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe" MD5: C352B397CC1BF792AE368F562AAA19BE)

cmd.exe (PID: 6108 cmdline: cmd.exe /c sc stop ToDesk_Service MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3284 cmdline: sc stop ToDesk_Service MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

cmd.exe (PID: 5564 cmdline: cmd.exe /c sc delete ToDesk_Service MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2864 cmdline: sc delete ToDesk_Service MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

cmd.exe (PID: 4020 cmdline: cmd.exe /c sc stop ToDesk_Service MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 364 cmdline: sc stop ToDesk_Service MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

cmd.exe (PID: 6444 cmdline: cmd.exe /c sc delete ToDesk_Service MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 716 cmdline: sc delete ToDesk_Service MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

netsh.exe (PID: 5852 cmdline: netsh advfirewall firewall delete rule name="ToDesk" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 1768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 1920 cmdline: netsh advfirewall firewall delete rule name="ToDesk_Service" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 1916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 2292 cmdline: netsh advfirewall firewall delete rule name="ToDesk_Session" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 688 cmdline: netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 3488 cmdline: netsh advfirewall firewall add rule name="ToDesk" dir=out program="C:\Program Files\ToDesk\ToDesk.exe" action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 1980 cmdline: netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 3744 cmdline: netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 4596 cmdline: netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 1596 cmdline: netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ToDesk.exe (PID: 4896 cmdline: "C:\Program Files\ToDesk\ToDesk.exe" MD5: 461C4140E0A097BFFE2EE4B8991AAB3C)

explorer.exe (PID: 5792 cmdline: C:\windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

ToDesk.exe (PID: 5712 cmdline: "C:\Program Files\ToDesk\ToDesk.exe" MD5: 461C4140E0A097BFFE2EE4B8991AAB3C)

ToDesk.exe (PID: 72 cmdline: "C:\Program Files\ToDesk\ToDesk.exe" --runadmin=true MD5: 461C4140E0A097BFFE2EE4B8991AAB3C)

svchost.exe (PID: 6180 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6200 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 612 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6572 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 3860 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 4108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6648 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ToDesk.exe (PID: 456 cmdline: "C:\Program Files\ToDesk\ToDesk.exe" --runservice MD5: 461C4140E0A097BFFE2EE4B8991AAB3C)

ToDesk.exe (PID: 3948 cmdline: "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600 MD5: 461C4140E0A097BFFE2EE4B8991AAB3C)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000003.2019014454.000000000C199000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x3bbe8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
0000000D.00000002.1586294361.000001EADCDE4000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x37ec8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xc49d6:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000013.00000002.2460978525.0000000000420000.00000020.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2dde8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
0000000D.00000002.1587648854.000001EADE820000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x5ba38:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
Process Memory Space: explorer.exe PID: 5792	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 47.238.100.22, DestinationIsIpv6: false, DestinationPort: 4433, EventID: 3, Image: C:\Windows\explorer.exe, Initiated: true, ProcessId: 5792, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49909

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2708, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Winos4.0 Framework CnC Login Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T21:13:41.718752+0100	2052875	1	Malware Command and Control Activity Detected	192.168.2.16	49909	47.238.100.22	4433	TCP
2025-02-21T21:14:57.137847+0100	2052875	1	Malware Command and Control Activity Detected	192.168.2.16	49909	47.238.100.22	4433	TCP

Joe Sandbox Signatures

• Cryptography
• Compliance
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\CrashReport.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\ToDesk.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\uninst.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\zrtc.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\tdgamepad.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamePad.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdidd.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\todeskvhid.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.inf	Jump to behavior
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\config.ini
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\zrtcserviceewwszqlz_2025_02_21.log

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\gitlab\vhid\driver\umdf2\x64\Release\TodeskVhid.pdb source: ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000041E000.00000004.00000001.01000000.0000000C.sdmp, ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000040A000.00000004.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\stdDllWrapper.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, 4cdca3.rbs.2.dr, MSIE927.tmp.2.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1602453751.00007FFF415B2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: zrtc.dll.pdb source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26671000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: E:\NiuniuCapture\niuniu_src\nsNiuniuSkin\plugin\nsNiuniuDUI.pdb source: ToDesk_Setup.exe, 00000012.00000002.1883171743.000000006D111000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: virtual_camera_x86.dll.pdb source: virtual_camera_x86.dll.18.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb. source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_crypto\ex_data.c source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, MSIA690.tmp.1.dr, MSI2A0D.tmp.1.dr, MSIA621.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_ source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp

Source: C:\Windows\explorer.exe	File opened: z:
Source: C:\Windows\explorer.exe	File opened: x:
Source: C:\Windows\explorer.exe	File opened: v:
Source: C:\Windows\explorer.exe	File opened: t:
Source: C:\Windows\explorer.exe	File opened: r:
Source: C:\Windows\explorer.exe	File opened: p:
Source: C:\Windows\explorer.exe	File opened: n:
Source: C:\Windows\explorer.exe	File opened: l:
Source: C:\Windows\explorer.exe	File opened: j:
Source: C:\Windows\explorer.exe	File opened: h:
Source: C:\Windows\explorer.exe	File opened: f:
Source: C:\Windows\System32\svchost.exe	File opened: d:
Source: C:\Windows\explorer.exe	File opened: b:
Source: C:\Windows\explorer.exe	File opened: y:
Source: C:\Windows\explorer.exe	File opened: w:
Source: C:\Windows\explorer.exe	File opened: u:
Source: C:\Windows\explorer.exe	File opened: s:
Source: C:\Windows\explorer.exe	File opened: q:
Source: C:\Windows\explorer.exe	File opened: o:
Source: C:\Windows\explorer.exe	File opened: m:
Source: C:\Windows\explorer.exe	File opened: k:
Source: C:\Windows\explorer.exe	File opened: i:
Source: C:\Windows\explorer.exe	File opened: g:
Source: C:\Windows\explorer.exe	File opened: e:
Source: C:\Program Files\ToDesk\ToDesk.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:
Source: C:\Windows\explorer.exe	File opened: [:

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052875 - Severity 1 - ET MALWARE Winos4.0 Framework CnC Login Message : 192.168.2.16:49909 -> 47.238.100.22:4433

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 47.238.100.22 4433

Source: global traffic

TCP traffic: 192.168.2.16:49909 -> 47.238.100.22:4433

Source: Joe Sandbox View

ASN Name: CHARTER-20115US CHARTER-20115US

Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22
Source: unknown	TCP traffic detected without corresponding DNS query: 47.238.100.22

Source: global traffic	DNS traffic detected: DNS query: authds.todesk.com
Source: global traffic	DNS traffic detected: DNS query: authds.kylinlot.com
Source: global traffic	DNS traffic detected: DNS query: todeskcdnspeed.todesk.com

Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://.jpg
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http:///dump.php?dumpserver.compresstypelognamedatetimedate
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://EVSecure-crl.geotrust.com/GeoTrustPCA.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://EVSecure-ocsp.geotrust.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia.startssl.com/certs/ca.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia.startssl.com/certs/ca.crt02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia1.wosign.com/ca1-class3-server.cer0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://aia1.wosign.com/ca1g2-server3.cer0
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://apibuss.RemoteTemporaryPasswordRemoteReplicationIDUpdateTempPassCustomChangePassword:x
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.000000000724F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.entrust.net/g2ca.crl0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.entrust.net/rootca1.crl0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/GeoTrustPCA-G3.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0F
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0N
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.globalsign.com/root.crl0V
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0=
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.startssl.com/sfsca.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.startssl.com/sfsca.crl0f
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA-G3.crl0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: svchost.exe, 00000000.00000002.2507661800.000001EB66200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl.ws.symantec.com/universal-root.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.000000000724F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, virtual_camera_x86.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.00000000088EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2060237428.00000000088EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.000000000724F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crls1.wosign.com/ca1.crl0m
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crls1.wosign.com/ca1.crl0q
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe, 00000033.00000003.1895351771.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1893771860.00000208CF80C000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1903608888.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1893565314.000001B611B45000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2246294725.00000271BDF05000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243853530.000001ED0F0E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dumpserver.todesk.com/dump.php
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://dumpserver.todesk.com/dump.phpSymInitialize
Source: svchost.exe, 00000000.00000003.1203206451.000001EB66130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://faac.sourceforge.net/)
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcb.com/GeoTrustPCA-G3.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0.
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcd.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g.symcd.com0L
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g1.symcb.com/GeoTrustPCA.crl0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g1.symcb.com/crls/gtglobal.crl0/
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g2.symcb.com0G
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://g2.symcb.com0L
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: ToDesk_Setup.exe, 0000000F.00000000.1551522906.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000040A000.00000004.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF2609C000.00000002.00000001.01000000.00000018.sdmp, virtual_camera_x86.dll.18.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.digicert.com0M
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.00000000071CD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.entrust.net00
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.entrust.net02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.geotrust.com0L
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr10
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.godaddy.com/02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0J
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/08
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.startssl.com/ca0-
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.startssl.com/ca00
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.startssl.com00
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.thawte.com0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp.ws.symantec.com0k
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp1.wosign.com/ca104
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://ocsp1.wosign.com/ca108
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://pca-g3-ocsp.geotrust.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s../../net/third_party/quiche/src/quic/core/crypto/certificate_view.cc
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26085000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s../../net/third_party/quiche/src/quic/core/crypto/certificate_view.ccInvalid
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s2.symcb.com0k
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 0000000E.00000000.1545905770.00000000025F0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://subca.ocsp-certum.com0.
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t.symcb.com/ThawtePCA.crl0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t.symcd.com01
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0/
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t2.symcb.com0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://t2.symcb.com0A
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B16000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2246294725.00000271BDF05000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2242807873.000001ED0F0AB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243853530.000001ED0F0E3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0AA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0A9000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/&
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/&oq
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/2
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/4
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/8
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/AT;.CMD;.VBS;.VBE;.JS;7
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/F
Source: ToDesk.exe, 00000033.00000003.1895351771.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1893771860.00000208CF80C000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1903608888.00000208CF81B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/G
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/In
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/J
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/N
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/OCESSORS=4
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/OGONSERVER=9
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/P
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/R
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/SCPROCESSO
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/System32
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/TPath=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/Windows
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/amW6432=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/b
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/https://uc.todesk.com/https://user.todesk.com/upload.php?token=tode
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/ily
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/ineIntelPR
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/les;C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/m
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/m32
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/mW6432=C:
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/o
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/odules;C:
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/p
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/p_
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/rh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/s
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/t3
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/vh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/ws
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://todeskcdnspeed.todesk.com/~h
Source: svchost.exe, 00000005.00000002.1368418659.000001CA68213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.entrust.net/CPS0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.entrust.net/rpa0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps06
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0;
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.geotrust.com/resources/cps0A
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.keynectis.com/PC07
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26087000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.keynectis.com/PC08
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/policy0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/sfsca.crl0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.startssl.com/sfsca.crt0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/rpa0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/rpa0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF260B7000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-timehttp://www.ietf.org/id/draft-holmer-rmcat-
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-timehttp://www.webrtc.org/experiments/rtp-hdre
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02http://www.webrtc.org/experiments/r
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllNULinvalid
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.wosign.com/policy/0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppche_16.dbK
Source: explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2008974722.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS0
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2008974722.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS2F
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2008974722.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSdf
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF26268000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008710000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.000000000875E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000E.00000000.1545476893.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1546224158.0000000002F60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2520908782.0000000002F7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000E.00000000.1556114866.00000000087E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.0000000008821000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=BD3E37D8C4964A928E655AAA177D65C1&timeOut=5000&oc
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2520908782.0000000002F85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1546224158.0000000002F60000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: explorer.exe, 0000000E.00000000.1556114866.00000000087E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.0000000008802000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/WindyV2.svg
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://becausemomsays.com/she-wanted-to-keep-her-deceased-husbands-ring-so-she-selfishly-denied-her
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0vJ
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0vJ-dark
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK0V
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK0V-dark
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://certs.starfieldtech.com/repository/0
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cookpolitical.com/2020-national-popular-vote-tracker
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF261FA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/1053756
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF261FA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/1053756ICE
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF261FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/778929.
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF261FB000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://crbug.com/778929.%016llX%016llXKernel32.dll../../base/threading/platform_thread_win.ccJoin((
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2242807873.000001ED0F0AB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0AA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0A9000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download(
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download)
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download1
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download7v
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download8
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download86)=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download:
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadC:
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadEB
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadNh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadPATHEX
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadProgramA
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadROCESSOR_IDENT3
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadV
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadZh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadf
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadgram
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadj
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadm
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadneIntelPROCES/
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadngComm
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadogramDa
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadram
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadstem32
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadstemDri
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadtem32
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadtions
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadverData=C:
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadws
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadwsTEMP
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadystem32
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/downloadz5
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas-personal.todesk.com/download~
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2238241659.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243465242.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0A3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console$
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console(
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console.
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console.xS
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console0
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console0Ds
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console5
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console5x
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console9
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console:Di
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console;C:
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleA
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleC:
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleE;.J
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleF
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleG
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleH
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleP
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleRS=4
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleW7
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleY
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleZ
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleali
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleb
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolec
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoledy
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolee
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolei
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolek
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleky
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolele
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD331000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleo
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolep
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleq
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleq$
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoles
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consoleuy
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolew
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/consolex
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com/console~
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.com:
Source: ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://daas.todesk.comkF
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: svchost.exe, 00000005.00000002.1368925789.000001CA68259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366238872.000001CA6826E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366943277.000001CA68243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1369090764.000001CA68272000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366875764.000001CA6825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000003.1366292360.000001CA68267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.1366238872.000001CA6826E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1369064034.000001CA68265000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366875764.000001CA6825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.1368584214.000001CA6822B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366292360.000001CA68267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1368767624.000001CA6823F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1369064034.000001CA68265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000002.1368767624.000001CA6823F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.todesk.com/windowsDownloadAppFilekernel32::IsWow64Process2(ps
Source: svchost.exe, 00000005.00000003.1367150084.000001CA68230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000002.1368767624.000001CA6823F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366943277.000001CA68243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.1367150084.000001CA68230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.1368584214.000001CA6822B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366292360.000001CA68267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2040398375.000000000BFDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comA
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://financebuzz.com/top-signs-of-financial-fitness?utm_source=msn&utm_medium=feed&synd_slide=1&s
Source: svchost.exe, 00000000.00000003.1203206451.000001EB661A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000000.00000003.1203206451.000001EB66192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26109000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/6293
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA10WNpO.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bAqmF.img
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hIktm.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hMa61.img
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42cl9.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://news.gallup.com/poll/247016/conservatives-greatly-outnumber-liberals-states.aspx
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2040398375.000000000BFDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comsoft.A
Source: explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2050416734.000000000C06F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe, 00000033.00000003.1893771860.00000208CF830000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1898912108.00000208CF831000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1893847062.000001B611B4F000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2223054731.00000271BDF2E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDF2A000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2222871379.000001ED0F101000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st.todesk.com
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st.todesk.comPJ:
Source: ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1893847062.000001B611B4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st.todesk.comoG
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://stacker.com/
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://stacker.com/politics/states-most-conservatives-0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26374000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://streams.videolan.org/upload/
Source: svchost.exe, 00000005.00000003.1366943277.000001CA68243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000003.1366926488.000001CA6823D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366926488.000001CA6823D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366910703.000001CA6824A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366432207.000001CA6825D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000002.1368584214.000001CA6822B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000002.1368925789.000001CA68259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2238241659.000001ED0F08A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243465242.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0A3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/1y
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/;y
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/A
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Cy
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Dx3
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/E
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/H
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/K
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/M
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Qy
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/T
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/Wy
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ation
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ay
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/d
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/erponse
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/esponseo
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/est
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/f
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/j
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/l
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/o
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ol
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/on
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=100&orderType=0
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=100&orderType=0WhiteBoardUpdateToastinputTextinputT
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=2&orderType=0
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.com/orderManage/buyOrder?spuId=2&orderType=0MatchScreenModifyMarkEndRemoteControlC
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ormation
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/ormationry
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/p
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/pnnse
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/rol
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/t
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/u
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.com/y
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.comamession
Source: ToDesk.exe, 00000037.00000003.1887714459.000001B611B35000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1889100952.000001B611B4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.comhF
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://uc.todesk.comhttps://daas.todesk.comipc__pipe134.175.254.188capture__Client_9BEF579D5A8F_Ses
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uc.todesk.comj
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://update.todesk.com/tdpdfprinter.exe
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://update.todesk.com/tdpdfprinter.exetdprinter.tmp.tmpwbab
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B16000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2246294725.00000271BDF05000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2242807873.000001ED0F0AB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243853530.000001ED0F0E3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0AA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0A9000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=$
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=.
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=0
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=6
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=:
Source: ToDesk.exe, 00000033.00000003.1893771860.00000208CF80C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=?
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=B
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=CESSORS=4OS=WK
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=COMPUT
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Data=C:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=ESSOR_I
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=FILE=user-PCUWv
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=FilesC
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Jh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Program
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=S;.VBE;
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=System
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=USERNAs
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=Z
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=_REVISI
Source: ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=amily
Source: ToDesk.exe, 00000033.00000002.1902486191.00000208CF7ED000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=c
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=e
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=ePath=C:
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=fh
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=indows
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=indowsP
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=lesCOMPUTERNAW
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=n
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=onProgramFiles
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=profilek
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=r
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=rogram
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=v
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=z
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user.todesk.com/upload.php?token=~5
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243465242.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0A3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com$
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com$x
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com)
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com0
Source: ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000033.00000002.1902486191.00000208CF7EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com1
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com5
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com8
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.com:
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comA
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comC:
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comE
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comMy
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comT
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comW
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comWind
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comam
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comaxQ
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD331000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.come
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comezxD
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comn
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comnseLI-P
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comows
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comr
Source: ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.coms
Source: ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.todesk.comtionny
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wigreports.com/about/
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008AA9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/gr.exel
Source: explorer.exe, 0000000E.00000002.2626418957.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2040398375.000000000BFDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com8E
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.270towin.com/
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.alphassl.com/repository/03
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.financebuzz.com/clever-debt-payoff-55mp?utm_source=msn&utm_medium=feed&synd_slide=1&synd
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.forbes.com/sites/elanagross/2020/10/28/trump-administration-uses-philadelphia-protests-t
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2608A000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.geotrust.com/resources/cps04
Source: ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.geotrust.com/resources/cps06
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26086000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.geotrust.com/resources/repository0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF26089000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/autos/buying/if-your-old-car-has-any-of-these-16-problems-consider-buying-
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/medical/mayo-clinic-minute-who-benefits-from-taking-statins/ar-AA1h
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/medical/scientists-reveal-new-findings-about-older-adults-who-take-
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/15-attributes-of-truly-good-men/ss-AA1hJKQY
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/there-are-8-types-of-intelligence-which-one-is-yo
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/if-any-of-these-11-things-describes-you-you-ve-climb
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/george-santos-former-campaign-treasurer-pleads-guilty-to-fed
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/the-state-with-the-most-liberals-isn-t-userfornia-or-new-yor
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-asks-for-jan-6-dismissal-because-coup-attempt-was-part
Source: explorer.exe, 0000000E.00000002.2534919873.00000000071A1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/the-most-stunning-space-images-captured-in-2023-so-far/ar-
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/russian-official-proposes-invading-five-nato-countries/ar-AA1hJ
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/the-nobel-peace-prize-will-be-announced-in-oslo-the-laureate-is
Source: explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 0000003A.00000002.2295034169.00007FFF26088000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps0
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps0)
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps02
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.thawte.com/cps07
Source: explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.theatlantic.com/politics/archive/2014/02/the-origin-of-liberalism/283780/
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/download.htmlToDesk
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/download.htmlopen
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/licence.htmleditLicenselicence_
Source: ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.todesk.com/licence.htmlopen

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443

Source: explorer.exe, 00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

Source: C:\Windows\explorer.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp

Binary or memory string: GetRawInputData

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\tdgamepad.cat	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\vhid\todeskvhid.cat	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdscreen\tdidd.cat	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000E.00000003.2019014454.000000000C199000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000D.00000002.1586294361.000001EADCDE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000013.00000002.2460978525.0000000000420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000D.00000002.1587648854.000001EADE820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Detected VMProtect packer

Source: Microsoft_Xtools.exe.12.dr

Static PE information: .vmp0 and .vmp1 section names

Drops password protected ZIP file

Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted
Source: a11.zip.12.dr	Zip Entry: encrypted

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

File created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4cdca2.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE780.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7DE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{D35AFE46-73B4-4441-81DF-EDEE2029BCB9}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE927.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8A7.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE780.tmp

Jump to behavior

Source: zrtc.dll.18.dr

Static PE information: Number of sections : 18 > 10

Source: T0pdaslk-guangwang-winelkxcac-64.msi	Binary or memory string: OriginalFilenamestdDllWrapper.dllF vs T0pdaslk-guangwang-winelkxcac-64.msi
Source: T0pdaslk-guangwang-winelkxcac-64.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs T0pdaslk-guangwang-winelkxcac-64.msi

Source: 0000000E.00000003.2019014454.000000000C199000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000D.00000002.1586294361.000001EADCDE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000013.00000002.2460978525.0000000000420000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000D.00000002.1587648854.000001EADE820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: BgWorker.dll.18.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nsNiuniuSkin.dll.18.dr

Static PE information: Section: UPX1 ZLIB complexity 0.9916166417738971

Source: T0pdaslk-guangwang-winelkxcac-64.msi

Binary or memory string: h.slnu

Source: classification engine

Classification label: mal100.troj.evad.winMSI@79/82@6/5

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ToDesk_Setup

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3908:120:WilError_03
Source: C:\Program Files\ToDesk\ToDesk.exe	Mutant created: \BaseNamedObjects\ToDesk_Service_9BEF579D5A8F
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_03
Source: C:\Program Files\ToDesk\ToDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Program Files\ToDesk\ToDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\ToDesk_Client_9BEF579D5A8F
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIA621.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS

Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AdInfoMsg(autoid INTEGER PRIMARY KEY AUTOINCREMENT,adid INTEGER NOT NULL,platform CHAR(256),position CHAR(256),imgurl CHAR(256),refurl CHAR(256),title CHAR(256),tip CHAR(256),begin CHAR(256),end CHAR(256),tipPriority INTEGER NOT NULL,start_timestamp INTEGER NOT NULL,expire_timestamp INTEGER NOT NULL,read INTEGER NOT NULL,push_timestamp INTEGER NOT NULL,adinfoid CHAR(256),userid CHAR(256) );
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO AdInfoMsg VALUES(NULL, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d, %d, '%s','%s');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS SysMsg(autoid INTEGER PRIMARY KEY AUTOINCREMENT,msgid INTEGER NOT NULL,type INTEGER NOT NULL,push_timestamp INTEGER NOT NULL,title CHAR(256),content CHAR(256),refurl CHAR(512),read INTEGER NOT NULL,userid CHAR(256) );
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO SysMsg VALUES(NULL, %d, %d, %d, '%s', '%s', '%s', %d, '%s');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO AdInfoMsg VALUES(NULL, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d, %d,'%s','%s');
Source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp, ToDesk.exe.18.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\T0pdaslk-guangwang-winelkxcac-64.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 897DC43AA7908FBDF146DB4280A4B33E C
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1D978FC4728A444D05DF5DFC6F0CB94A
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding A42AD45622494486CAE464114BFDCC7F
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe "C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\\Microsoft_Xtools.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\windows\explorer.exe
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Service"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Session"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=out program="C:\Program Files\ToDesk\ToDesk.exe" action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allow
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"
Source: unknown	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --runservice
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\ToDesk\ToDesk.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"
Source: C:\Program Files\ToDesk\ToDesk.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --runadmin=true
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 897DC43AA7908FBDF146DB4280A4B33E C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1D978FC4728A444D05DF5DFC6F0CB94A
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding A42AD45622494486CAE464114BFDCC7F
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe "C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\\Microsoft_Xtools.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe "C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Service"
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Session"
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=out program="C:\Program Files\ToDesk\ToDesk.exe" action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Program Files\ToDesk\ToDesk.exe	Process created: C:\Program Files\ToDesk\ToDesk.exe "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: unityplayer.dll
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: feclient.dll
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: iertutil.dll
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: wininet.dll
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: mscoree.dll
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: iconcodecservice.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: windows.globalization.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: bcp47mrm.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: globinputhost.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: linkinfo.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: ntshrui.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: mscoree.dll
Source: C:\Windows\explorer.exe	Section loaded: winmm.dll
Source: C:\Windows\explorer.exe	Section loaded: dinput8.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: devenum.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: msdmo.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Source: ToDesk.lnk.18.dr	LNK file: ..\..\..\Program Files\ToDesk\ToDesk.exe
Source: ToDesk.lnk0.18.dr	LNK file: ..\..\..\..\..\..\Program Files\ToDesk\ToDesk.exe
Source: Uninstall ToDesk.lnk.18.dr	LNK file: ..\..\..\..\..\..\Program Files\ToDesk\uninst.exe

Source: C:\Program Files\ToDesk\ToDesk.exe

File written: C:\Program Files\ToDesk\config.ini

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\CrashReport.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\ToDesk.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\uninst.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\zrtc.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\tdgamepad.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamePad.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdidd.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.inf	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\todeskvhid.cat	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Directory created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.inf	Jump to behavior
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\config.ini
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log
Source: C:\Program Files\ToDesk\ToDesk.exe	Directory created: C:\Program Files\ToDesk\Logs\zrtcserviceewwszqlz_2025_02_21.log

Source: T0pdaslk-guangwang-winelkxcac-64.msi

Static file information: File size 95763456 > 1048576

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\gitlab\vhid\driver\umdf2\x64\Release\TodeskVhid.pdb source: ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000041E000.00000004.00000001.01000000.0000000C.sdmp, ToDesk_Setup.exe, 00000012.00000002.1874957635.000000000040A000.00000004.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\stdDllWrapper.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, 4cdca3.rbs.2.dr, MSIE927.tmp.2.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1602453751.00007FFF415B2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: zrtc.dll.pdb source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26671000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: E:\NiuniuCapture\niuniu_src\nsNiuniuSkin\plugin\nsNiuniuDUI.pdb source: ToDesk_Setup.exe, 00000012.00000002.1883171743.000000006D111000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603452415.00007FFF46FA3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: virtual_camera_x86.dll.pdb source: virtual_camera_x86.dll.18.dr
Source:	Binary string: D:\jenkins\workspace\todesk-toc-win\bin\x64\Release\todesk\ToDesk.pdb. source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_crypto\ex_data.c source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: T0pdaslk-guangwang-winelkxcac-64.msi, MSIA690.tmp.1.dr, MSI2A0D.tmp.1.dr, MSIA621.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Microsoft_Xtools.exe, 0000000D.00000002.1603179504.00007FFF46F85000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140_1.dll.12.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy -O2 -Ob2 -MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_WIN32_WINNT=0x0501 -D_USING_V110_SDK71_ source: ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp

Source: VCRUNTIME140.dll.12.dr

Static PE information: 0xE2E02087 [Sun Aug 13 20:26:47 2090 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: MSVCP140.dll.12.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.12.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.12.dr	Static PE information: section name: _RDATA
Source: Microsoft_Xtools.exe.12.dr	Static PE information: section name: _RDATA
Source: Microsoft_Xtools.exe.12.dr	Static PE information: section name: .vmp0
Source: Microsoft_Xtools.exe.12.dr	Static PE information: section name: .vmp1
Source: SimpleSC.dll.18.dr	Static PE information: section name: .didata
Source: ToDesk.exe.18.dr	Static PE information: section name: .rodata
Source: ToDesk.exe.18.dr	Static PE information: section name: _RDATA
Source: zrtc.dll.18.dr	Static PE information: section name: .00cfg
Source: zrtc.dll.18.dr	Static PE information: section name: .nvFatBi
Source: zrtc.dll.18.dr	Static PE information: section name: .nv_fatb
Source: zrtc.dll.18.dr	Static PE information: section name: .retplne
Source: zrtc.dll.18.dr	Static PE information: section name: .rodata
Source: zrtc.dll.18.dr	Static PE information: section name: .voltbl
Source: zrtc.dll.18.dr	Static PE information: section name: .xdata
Source: zrtc.dll.18.dr	Static PE information: section name: IPPCODE
Source: zrtc.dll.18.dr	Static PE information: section name: IPPDATA
Source: zrtc.dll.18.dr	Static PE information: section name: _RDATA
Source: virtual_camera_x64.dll.18.dr	Static PE information: section name: _RDATA
Source: tdIdd.dll.18.dr	Static PE information: section name: _RDATA
Source: TodeskVhid.dll.18.dr	Static PE information: section name: _RDATA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to behavior
Source: C:\Windows\explorer.exe	File created: C:\ProgramData\kernelquick.sys

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA690.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA6B0.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\System.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsNiuniuSkin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\pwand.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8A7.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsSCM.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\MSVCP140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2A0D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\killer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7DE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\zrtc.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\BgWorker.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\vcruntime140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\ToDesk.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE780.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA7BC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\uninst.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsExec.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA621.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\SimpleSC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA78D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\CrashReport.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA6C0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\UnityPlayer.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\pwand.dll

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE780.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7DE.tmp	Jump to dropped file

Source: C:\Program Files\ToDesk\ToDesk.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ToDesk_Service

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk\ToDesk.lnk	Jump to behavior
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk\Uninstall ToDesk.lnk	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 5868 base: 7FFF4F43000D value: E9 BB CB EC FF
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 5868 base: 7FFF4F2FCBC0 value: E9 5A 34 13 00

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\AiServer MyData

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ToDesk\ToDesk.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

Section loaded: OutputDebugStringW count: 539

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	RDTSC instruction interceptor: First address: 7FF6DA465B86 second address: 7FF6DA422929 instructions: 0x00000000 rdtsc 0x00000002 mov al, dh 0x00000004 jmp 00007F8238BB741Ah 0x00000009 inc ecx 0x0000000a rol eax, 1 0x0000000c dec eax 0x0000000d bswap ebx 0x0000000f dec ebp 0x00000011 inc cx 0x00000013 movsx esi, al 0x00000016 inc ecx 0x00000017 dec eax 0x00000019 dec ebp 0x0000001a add eax, ebx 0x0000001c inc ecx 0x0000001d shl dl, FFFFFFA7h 0x00000020 ror bh, FFFFFF93h 0x00000023 dec eax 0x00000024 mov esi, 00000000h 0x00000029 add dword ptr [eax], eax 0x0000002b add byte ptr [eax], al 0x0000002d inc ecx 0x0000002e rcl dl, cl 0x00000030 dec esp 0x00000031 add eax, esi 0x00000033 mov al, al 0x00000035 dec esp 0x00000036 mov edx, esp 0x00000038 inc eax 0x00000039 or ch, dh 0x0000003b dec eax 0x0000003c sub esp, 00000180h 0x00000042 dec eax 0x00000043 and esp, FFFFFFF0h 0x00000049 adc ebx, esp 0x0000004b dec ecx 0x0000004c mov ebx, eax 0x0000004e rdtsc
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	RDTSC instruction interceptor: First address: 7FF6DA14AEA8 second address: 7FF6DA04EDC6 instructions: 0x00000000 rdtsc 0x00000002 mov al, dh 0x00000004 jmp 00007F8238A138D5h 0x00000009 inc ecx 0x0000000a rol eax, 1 0x0000000c dec eax 0x0000000d bswap ebx 0x0000000f dec ebp 0x00000011 inc cx 0x00000013 movsx esi, al 0x00000016 inc ecx 0x00000017 dec eax 0x00000019 dec ebp 0x0000001a add eax, ebx 0x0000001c inc ecx 0x0000001d shl dl, FFFFFFA7h 0x00000020 ror bh, FFFFFF93h 0x00000023 dec eax 0x00000024 mov esi, 00000000h 0x00000029 add dword ptr [eax], eax 0x0000002b add byte ptr [eax], al 0x0000002d inc ecx 0x0000002e rcl dl, cl 0x00000030 dec esp 0x00000031 add eax, esi 0x00000033 mov al, al 0x00000035 dec esp 0x00000036 mov edx, esp 0x00000038 inc eax 0x00000039 or ch, dh 0x0000003b dec eax 0x0000003c sub esp, 00000180h 0x00000042 dec eax 0x00000043 and esp, FFFFFFF0h 0x00000049 adc ebx, esp 0x0000004b dec ecx 0x0000004c mov ebx, eax 0x0000004e rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Special instruction interceptor: First address: 7FF6DA408F85 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3185
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5923
Source: C:\Program Files\ToDesk\ToDesk.exe	Window / User API: threadDelayed 4079

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA690.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\vhid\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA6B0.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\System.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsNiuniuSkin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\pwand.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsSCM.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2A0D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\killer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE7DE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\BgWorker.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE780.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\uninst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA7BC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsExec.dll	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\SimpleSC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA621.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA78D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\CrashReport.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA6C0.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Dropped PE file which has not been started: C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	Jump to dropped file

Source: C:\Windows\System32\svchost.exe TID: 6944	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\explorer.exe TID: 2732	Thread sleep time: -91000s >= -30000s
Source: C:\Windows\explorer.exe TID: 1436	Thread sleep time: -31850s >= -30000s
Source: C:\Windows\explorer.exe TID: 2732	Thread sleep time: -5923000s >= -30000s
Source: C:\Program Files\ToDesk\ToDesk.exe TID: 6848	Thread sleep count: 4079 > 30
Source: C:\Program Files\ToDesk\ToDesk.exe TID: 4792	Thread sleep count: 39 > 30

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\ToDesk\ToDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files\ToDesk\ToDesk.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp FullSizeInformation

Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Vol
Source: ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: WebRTC-AllowMACBasedIPv6Network change was observedVMnetStartUpdatingSocket creation failedConnect failed with UpdateNetworksContinuallyNetworkManager detected networks:, active ? , IgnoredWebRTC-UseDifferentiatedCellularCostsNet[:id=Enabled
Source: svchost.exe, 00000007.00000002.2480951619.000002C780475000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 0000000E.00000003.1998697487.0000000008A54000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00lT8
Source: ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductM5HXHL0CC82742-52E4-CC1D-A08F-D3A4823E8F04VMware, Inc.None
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26383000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tga
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000000.00000002.2513968592.000001EB6625E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.2510633848.000001EB6623F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.2486931921.000001EB60C2B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2586897655.00000000088B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000q;
Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vHyper-V Da
Source: svchost.exe, 00000007.00000002.2480951619.000002C780465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: svchost.exe, 00000007.00000002.2483350035.000002C78047F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000003.1998697487.00000000089EA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9d2}i
Source: ToDesk.exe, 00000033.00000003.1897883540.00000208CF7C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: netsh.exe, 00000020.00000003.1681229554.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: netsh.exe, 00000023.00000002.1696316811.0000000003700000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000025.00000002.1708914818.00000000035A0000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000027.00000003.1715065076.0000000000531000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000029.00000003.1721617491.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002B.00000003.1726818803.0000000000791000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002B.00000003.1727351278.0000000000794000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002D.00000002.1732550742.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002D.00000003.1731252427.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002F.00000003.1735793969.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000031.00000003.1741482839.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000031.00000002.1742670402.00000000011F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000013.00000002.2466736069.00000000005BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
Source: ToDesk.exe, 00000034.00000002.2488420310.00000257CD331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu
Source: ToDesk.exe, 00000037.00000003.1888490296.000001B611AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: explorer.exe, 0000000E.00000002.2586897655.00000000089F4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000T
Source: explorer.exe, 0000000E.00000000.1547538044.00000000071FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}W6
Source: svchost.exe, 00000007.00000002.2476731968.000002C78044C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.1556114866.00000000088D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF260F8000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: VMnet
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000nf
Source: ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductM5HXHL0CC82742-52E4-CC1D-A08F-D3A4823E8F04VMware, Inc.Noney*
Source: svchost.exe, 00000007.00000002.2474455248.000002C78042B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUSm32\DriverStore\en-US\usb.inf_locK
Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hear
Source: explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: svchost.exe, 00000007.00000002.2468413723.000002C78040B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: ToDesk.exe, 00000034.00000003.1924604887.00000257D0718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Gues
Source: ToDesk.exe, 00000033.00000002.1904483843.00000208CF88C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2742-52E4-CC1D-A08F-D3A4823E8F04VMware, Inc.
Source: svchost.exe, 00000007.00000002.2476731968.000002C78044C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000B56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000E.00000003.1998697487.00000000089EA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ToDesk.exe, 00000037.00000002.2294923227.00007FFF26383000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: VMware Screen Codec / VMware Video

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

System information queried: ModuleInformation

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Thread information set: HideFromDebugger

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe

Handle closed: DEADC0DE

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Process queried: DebugPort
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Process queried: DebugObjectHandle

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process token adjusted: Debug
Source: C:\Program Files\ToDesk\ToDesk.exe	Process token adjusted: Debug
Source: C:\Program Files\ToDesk\ToDesk.exe	Process token adjusted: Debug
Source: C:\Program Files\ToDesk\ToDesk.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 47.238.100.22 4433

Allocates memory in foreign processes

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory allocated: C:\Windows\explorer.exe base: 2CF0000 protect: page execute and read and write
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory allocated: C:\Windows\explorer.exe base: 8050000 protect: page read and write

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	NtMapViewOfSection: Indirect: 0x1EADE87D696
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	NtMapViewOfSection: Indirect: 0x1EADE87DBD3

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 4380 base: 2CF0000 value: E9
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: PID: 4380 base: 8050000 value: 00
Source: C:\Windows\explorer.exe	Memory written: PID: 5792 base: 420000 value: E8

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\explorer.exe

Thread register set: target process: 5792

Performs DNS TXT record lookups

Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com
Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com
Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com
Source: Traffic	DNS traffic detected: queries for: authds.kylinlot.com

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\explorer.exe

Thread register set: 5792 C1A6E00

Writes to foreign memory regions

Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: C:\Windows\explorer.exe base: 2CF0000
Source: C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	Memory written: C:\Windows\explorer.exe base: 8050000

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc stop ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c sc delete ToDesk_Service
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Service"
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk_Session"
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk" dir=out program="C:\Program Files\ToDesk\ToDesk.exe" action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Service" dir=out program="C:\Program Files\ToDesk\ToDesk_Service.exe" action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop ToDesk_Service
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete ToDesk_Service

Source: explorer.exe, 0000000E.00000000.1556114866.00000000089C9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2534062078.0000000004550000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.1998697487.0000000008A15000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.2507661761.0000000001114000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545792498.0000000001111000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000002.2466701365.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545476893.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Progman
Source: explorer.exe, 0000000E.00000002.2507661761.0000000001114000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545792498.0000000001111000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: bProgram Manager]
Source: explorer.exe, 0000000E.00000002.2507661761.0000000001114000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1545792498.0000000001111000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: ../../third_party/webrtc/modules/desktop_capture/win/window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_ProgmanButton

Source: C:\Program Files\ToDesk\ToDesk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\zrtcserviceewwszqlz_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\sdkservicepulmxguu_2025_02_21.log VolumeInformation
Source: C:\Program Files\ToDesk\ToDesk.exe	Queries volume information: C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log VolumeInformation

Source: C:\Program Files\ToDesk\ToDesk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Modifies the windows firewall

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"

Uses netsh to modify the Windows network and firewall settings

Source: C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="ToDesk"

Source: svchost.exe, 00000008.00000002.2486089087.0000025ACAB02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.2486089087.0000025ACAB02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5792, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5792, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	3 Disable or Modify Tools	1 Credential API Hooking	11 Peripheral Device Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	21 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	31 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	21 Windows Service	1 Obfuscated Files or Information	Security Account Manager	244 System Information Discovery	SMB/Windows Admin Shares	31 Input Capture	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	612 Process Injection	21 Software Packing	NTDS	461 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	25 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	23 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	25 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	612 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
T0pdaslk-guangwang-winelkxcac-64.msi	2%	Virustotal		Browse
T0pdaslk-guangwang-winelkxcac-64.msi	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe	0%	ReversingLabs
C:\Program Files\ToDesk\CrashReport.exe	2%	ReversingLabs
C:\Program Files\ToDesk\ToDesk.exe	0%	ReversingLabs
C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	0%	ReversingLabs
C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	0%	ReversingLabs
C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	0%	ReversingLabs
C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	0%	ReversingLabs
C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	0%	ReversingLabs
C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	0%	ReversingLabs
C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	0%	ReversingLabs
C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	0%	ReversingLabs
C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	0%	ReversingLabs
C:\Program Files\ToDesk\drivers\vhid\devcon.exe	0%	ReversingLabs
C:\Program Files\ToDesk\uninst.exe	0%	ReversingLabs
C:\Program Files\ToDesk\zrtc.dll	0%	ReversingLabs
C:\ProgramData\pwand.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI2A0D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA621.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA690.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA6B0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA6C0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA78D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA7BC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\BgWorker.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\SimpleSC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\killer.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsNiuniuSkin.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm2FF3.tmp\nsSCM.dll	0%	ReversingLabs
C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe	3%	ReversingLabs
C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\vcruntime140_1.dll	0%	ReversingLabs
C:\Windows\Installer\MSI8A7.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE780.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE7DE.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://daas-personal.todesk.com/downloadm	0%	Avira URL Cloud	safe
https://daas-personal.todesk.com/downloadj	0%	Avira URL Cloud	safe
https://daas-personal.todesk.com/downloadf	0%	Avira URL Cloud	safe
https://daas-personal.todesk.com/downloadROCESSOR_IDENT3	0%	Avira URL Cloud	safe
https://daas-personal.todesk.com/downloadPATHEX	0%	Avira URL Cloud	safe
http://faac.sourceforge.net/)	0%	Avira URL Cloud	safe
https://daas.todesk.com/consoleali	0%	Avira URL Cloud	safe
https://user.todesk.com/upload.php?token=Jh	0%	Avira URL Cloud	safe
https://www.todesk.com/download.htmlToDesk	0%	Avira URL Cloud	safe
https://daas-personal.todesk.com/downloadV	0%	Avira URL Cloud	safe
https://daas.todesk.com/console	0%	Avira URL Cloud	safe
https://uc.todesk.com/ol	0%	Avira URL Cloud	safe
https://daas-personal.todesk.com/download~	0%	Avira URL Cloud	safe
https://www.todesk.com/licence.htmlopen	0%	Avira URL Cloud	safe
https://user.todesk.com/upload.php?token=ePath=C:	0%	Avira URL Cloud	safe
https://uc.todesk.com/on	0%	Avira URL Cloud	safe
https://daas-personal.todesk.com/download	0%	Avira URL Cloud	safe
https://uc.todesk.com/orderManage/buyOrder?spuId=2&orderType=0	0%	Avira URL Cloud	safe
http:///dump.php?dumpserver.compresstypelognamedatetimedate	0%	Avira URL Cloud	safe
https://dl.todesk.com/windowsDownloadAppFilekernel32::IsWow64Process2(ps	0%	Avira URL Cloud	safe
https://daas-personal.todesk.com/downloadProgramA	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0vJ-dark	0%	Avira URL Cloud	safe
https://user.todesk.com/upload.php?token=ESSOR_I	0%	Avira URL Cloud	safe
https://daas-personal.todesk.com/downloadngComm	0%	Avira URL Cloud	safe
https://daas.todesk.com/console;C:	0%	Avira URL Cloud	safe
https://uc.todesk.com/esponseo	0%	Avira URL Cloud	safe
https://wechat.todesk.comtionny	0%	Avira URL Cloud	safe
https://uc.todesk.com/y	0%	Avira URL Cloud	safe
https://wechat.todesk.comaxQ	0%	Avira URL Cloud	safe
https://www.todesk.com/download.htmlopen	0%	Avira URL Cloud	safe
https://user.todesk.com/upload.php?token=USERNAs	0%	Avira URL Cloud	safe
https://user.todesk.com/upload.php?token=lesCOMPUTERNAW	0%	Avira URL Cloud	safe
https://uc.todesk.com/f	0%	Avira URL Cloud	safe
https://daas-personal.todesk.com/downloadwsTEMP	0%	Avira URL Cloud	safe
https://crbug.com/1053756ICE	0%	Avira URL Cloud	safe
http://dumpserver.todesk.com/dump.phpSymInitialize	0%	Avira URL Cloud	safe
https://uc.todesk.com/1y	0%	Avira URL Cloud	safe
https://uc.todesk.com/d	0%	Avira URL Cloud	safe
https://wechat.todesk.comMy	0%	Avira URL Cloud	safe
https://uc.todesk.com/j	0%	Avira URL Cloud	safe
https://outlook.comsoft.A	0%	Avira URL Cloud	safe
https://uc.todesk.com/l	0%	Avira URL Cloud	safe
https://uc.todesk.com/o	0%	Avira URL Cloud	safe
https://uc.todesk.com/u	0%	Avira URL Cloud	safe
https://uc.todesk.com/p	0%	Avira URL Cloud	safe
https://uc.todesk.com/t	0%	Avira URL Cloud	safe
https://user.todesk.com/upload.php?token=FILE=user-PCUWv	0%	Avira URL Cloud	safe
https://uc.todesk.com/A	0%	Avira URL Cloud	safe
https://wechat.todesk.comnseLI-P	0%	Avira URL Cloud	safe
https://uc.todesk.com/Qy	0%	Avira URL Cloud	safe
https://uc.todesk.com/E	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOS0	0%	Avira URL Cloud	safe
https://user.todesk.com/upload.php?token=fh	0%	Avira URL Cloud	safe
https://uc.todesk.com/H	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
authds.todesk.com	43.135.63.118	true	false	high
g8e1l8qd.ovslegodl.sched.ovscdns.com	43.175.152.66	true	false	unknown
todeskcdnspeed.todesk.com	unknown	unknown	false	high
authds.kylinlot.com	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://daas-personal.todesk.com/downloadm	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://faac.sourceforge.net/)	ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB2FB000.00000002.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	unknown
https://daas-personal.todesk.com/downloadj	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://daas-personal.todesk.com/downloadf	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://user.todesk.com/upload.php?token=Jh	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://todeskcdnspeed.todesk.com/Windows	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2520908782.0000000002F85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1546224158.0000000002F60000.00000004.00000001.00020000.00000000.sdmp	false		high
https://daas-personal.todesk.com/downloadPATHEX	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	false		high
https://daas-personal.todesk.com/downloadV	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.todesk.com/download.htmlToDesk	ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://streams.videolan.org/upload/	ToDesk.exe, 00000037.00000002.2294923227.00007FFF26374000.00000002.00000001.01000000.00000018.sdmp	false		high
https://daas-personal.todesk.com/downloadROCESSOR_IDENT3	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://daas.todesk.com/consoleali	ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://daas.todesk.com/console	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDEC3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2243465242.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0A3000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0C4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2219526305.000001ED0F0CB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://daas-personal.todesk.com/download~	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theatlantic.com/politics/archive/2014/02/the-origin-of-liberalism/283780/	explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppche_16.dbK	explorer.exe, 0000000E.00000000.1556114866.0000000008888000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/george-santos-former-campaign-treasurer-pleads-guilty-to-fed	explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1369064034.000001CA68265000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366875764.000001CA6825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://user.todesk.com/upload.php?token=ePath=C:	ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.todesk.com/licence.htmlopen	ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/ol	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/on	ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/there-are-8-types-of-intelligence-which-one-is-yo	explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000000.00000002.2507661800.000001EB66200000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://daas-personal.todesk.com/download	ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2208474981.00000271BDEEC000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDECD000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2238552863.00000271BDE77000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000002.2242807873.000001ED0F0AB000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2206614243.000001ED0F0D0000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0B6000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2228056997.000001ED0F0AA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2214293420.000001ED0F0A2000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0A9000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 0000003A.00000003.2220802918.000001ED0F0B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.godaddy.com/gdroot-g2.crl0F	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	false		high
http://www.symauth.com/rpa0)	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	false		high
https://dynamic.t	svchost.exe, 00000005.00000003.1367150084.000001CA68230000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod-C:	svchost.exe, 00000000.00000003.1203206451.000001EB661A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uc.todesk.com/orderManage/buyOrder?spuId=2&orderType=0	ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	false		high
http://todeskcdnspeed.todesk.com/&oq	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000002.2243439389.00000271BDED4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=BD3E37D8C4964A928E655AAA177D65C1&timeOut=5000&oc	explorer.exe, 0000000E.00000002.2534919873.0000000007160000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dl.todesk.com/windowsDownloadAppFilekernel32::IsWow64Process2(ps	ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aia.startssl.com/certs/ca.crt02	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	false		high
http:///dump.php?dumpserver.compresstypelognamedatetimedate	ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	unknown
https://daas-personal.todesk.com/downloadProgramA	ToDesk.exe, 00000037.00000003.1888162264.000001B611B1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0vJ-dark	explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://user.todesk.com/upload.php?token=ESSOR_I	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://daas.todesk.com/console;C:	ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wechat.todesk.comtionny	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	false		high
https://certs.starfieldtech.com/repository/0	ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	false		high
https://daas-personal.todesk.com/downloadngComm	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000005.00000003.1366669919.000001CA68258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://todeskcdnspeed.todesk.com/https://uc.todesk.com/https://user.todesk.com/upload.php?token=tode	ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	false		high
http://todeskcdnspeed.todesk.com/les;C:	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crbug.com/1053756	ToDesk.exe, 00000038.00000002.2295229401.00007FFF261FA000.00000002.00000001.01000000.00000018.sdmp	false		high
http://aia1.wosign.com/ca1-class3-server.cer0	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	false		high
https://uc.todesk.com/esponseo	ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wechat.todesk.comaxQ	ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 0000000E.00000000.1545905770.00000000025F0000.00000002.00000001.00040000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 0000000E.00000000.1547538044.0000000007147000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.todesk.com/download.htmlopen	ToDesk_Setup.exe, 00000012.00000002.1875989381.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://todeskcdnspeed.todesk.com/ily	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false		high
http://subca.ocsp-certum.com0.	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	false		high
https://uc.todesk.com/y	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://todeskcdnspeed.todesk.com/AT;.CMD;.VBS;.VBE;.JS;7	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false		high
https://user.todesk.com/upload.php?token=USERNAs	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/g2ca.crl0;	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp	false		high
http://todeskcdnspeed.todesk.com/ineIntelPR	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false		high
http://subca.ocsp-certum.com01	ToDesk.exe, 00000033.00000002.2294923949.00007FFF2609D000.00000002.00000001.01000000.00000018.sdmp	false		high
https://user.todesk.com/upload.php?token=lesCOMPUTERNAW	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	ToDesk.exe, 00000038.00000002.2295229401.00007FFF26301000.00000002.00000001.01000000.00000018.sdmp	false		high
https://crbug.com/1053756ICE	ToDesk.exe, 00000038.00000002.2295229401.00007FFF261FA000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	unknown
https://daas-personal.todesk.com/downloadwsTEMP	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dumpserver.todesk.com/dump.phpSymInitialize	ToDesk.exe, 00000033.00000000.1798291079.00007FF6FB49B000.00000002.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	unknown
http://todeskcdnspeed.todesk.com/SCPROCESSO	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000005.00000003.1366238872.000001CA6826E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://uc.todesk.com/f	ToDesk.exe, 00000034.00000002.2488420310.00000257CD379000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/1y	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/d	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wechat.todesk.comMy	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/j	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://todeskcdnspeed.todesk.com/~h	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000005.00000003.1366314189.000001CA68262000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.comsoft.A	explorer.exe, 0000000E.00000002.2626418957.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2040398375.000000000BFDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF65000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/l	ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls1.wosign.com/ca1.crl0m	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	false		high
https://uc.todesk.com/o	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/p	ToDesk.exe, 00000033.00000003.1896854871.00000208CF7DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/u	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/t	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/cps02	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000005.00000002.1368767624.000001CA6823F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://user.todesk.com/upload.php?token=FILE=user-PCUWv	ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wechat.todesk.comnseLI-P	ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/A	ToDesk.exe, 00000033.00000003.1897883540.00000208CF7D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/cps0)	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2608B000.00000002.00000001.01000000.00000018.sdmp, ToDesk.exe, 00000038.00000002.2295229401.00007FFF2609E000.00000002.00000001.01000000.00000018.sdmp	false		high
http://aia.startssl.com/certs/ca.crt0	ToDesk.exe, 00000037.00000002.2294923227.00007FFF2609F000.00000002.00000001.01000000.00000018.sdmp	false		high
https://uc.todesk.com/E	ToDesk.exe, 00000037.00000002.1889947432.000001B611B01000.00000004.00000020.00020000.00000000.sdmp, ToDesk.exe, 00000037.00000003.1888490296.000001B611B00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS0	explorer.exe, 0000000E.00000002.2626418957.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2008974722.000000000BF31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1564679551.000000000BF18000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/Qy	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://user.todesk.com/upload.php?token=fh	ToDesk.exe, 00000038.00000003.2219133688.00000271BDEB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uc.todesk.com/H	ToDesk.exe, 00000034.00000002.2488420310.00000257CD359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
43.135.63.118	authds.todesk.com	Japan	4249	LILLY-ASUS	false
101.42.127.254	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
119.45.2.35	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
47.238.100.22	unknown	United States	20115	CHARTER-20115US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1621377
Start date and time:	2025-02-21 21:12:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 10s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	57
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	T0pdaslk-guangwang-winelkxcac-64.msi
Detection:	MAL
Classification:	mal100.troj.evad.winMSI@79/82@6/5
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, SIHClient.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 2.19.106.160, 20.109.210.53, 13.107.246.60
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:12:51	API Interceptor	2x Sleep call for process: svchost.exe modified
15:13:39	API Interceptor	816275x Sleep call for process: explorer.exe modified
15:13:59	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified
15:14:34	API Interceptor	449x Sleep call for process: ToDesk.exe modified

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	27497
Entropy (8bit):	6.650412583586428
Encrypted:	false
SSDEEP:	768:KMgUvXVoSS0rfyjfj44VbvDQe/PrnPxWE5h:dxXVoSnrfyjf5brQ0rPxp
MD5:	B4290AAAB96155A1F7A7506045F1E0C0
SHA1:	90B894D573D9D7321785391D9EEA838F3E3A2A5D
SHA-256:	59341380C67161E8584F0DEDFD1B2AD3D66E87194FF051EEA080277E5963E729
SHA-512:	F83592764EDE533536D2EA666FEDADC56D372380CFA084677B6AFD3271F4BC1B3DA09878772E6F94692BDBA0F31037446F68B727F2AB8533AFEFF638D79E5066
Malicious:	false
Preview:	...@IXOS.@.....@.yUZ.@.....@.....@.....@.....@.....@......&.{D35AFE46-73B4-4441-81DF-EDEE2029BCB9}..ToDesk_Setup$.T0pdaslk-guangwang-winelkxcac-64.msi.@.....@.....@.....@........&.{B54FEEA7-07D2-4A02-96E4-0A412A2D9E16}.....@.....@.....@.....@.......@.....@.....@.......@......ToDesk_Setup......Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.].....ProcessComponents..ck(W.f.e.~.N.l.Qh...&.{A879BE35-2F8E-470B-92C5-570B7EAF4274}&.{D35AFE46-73B4-4441-81DF-EDEE2029BCB9}.@......&.{668E887C-215E-477A-8E33-D58E087A0DD8}&.{D35AFE46-73B4-4441-81DF-EDEE2029BCB9}.@......&.{253CEC5A-F1B0-4339-AFCB-78E1847BFC0A}&.{D35AFE46-73B4-4441-81DF-EDEE2029BCB9}.@......&.{D31BF6B0-8ED1-4F80-BA4E-9BDE93143885}&.{D35AFE46-73B4-4441-81DF-EDEE2029BCB9}.@........CreateFolders..ck(W.R.^.e.N9Y...e.N9Y:. .[.1.].#.1.C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\.@........InstallFiles..ck(W.Y6R.e.e.N...e.N:. .[.1.]....vU_:. .[.9.]...'Y.\:. .[.6.]...1.C:\Program Files (x86)\ToDesk_Setup\ToDesk

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7945979436514706
Encrypted:	false
SSDEEP:	3072:yJjAgNE4Pj5vHcjTcyBP9UjaaQ/ka4qWb:QAgN8nj/ka4
MD5:	5124FA330918DCBF894705658D5F4079
SHA1:	FE97286EFD2B7F73410FC3B1BA9DE2EE8AFC8754
SHA-256:	7FBF3768545F93A843E6CBB7944C1975F8C2C9A57D942AF8BA2F9DE6756AFB0B
SHA-512:	E6E1266BBE065C1F0EA64A77ED6529F139DF15E3BD5834E23238CA22278F55767C522E32B5E2EF089F2AD4B4E87E89B83F117E76296B2B5493C0FA986D36956B
Malicious:	false
Preview:	..6.........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................d6d6.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	2.6616157143988106
Encrypted:	false
SSDEEP:	3:tblM6lEjln:tbhEZn
MD5:	AE50B29A0B8DCC411F24F1863B0EAFDE
SHA1:	D415A55627B1ADED8E4B2CBBA402F816B0461155
SHA-256:	6B4BBBCE480FBC50D39A8EC4B72CDB7D781B151921E063DD899FD9B736ADCF68
SHA-512:	D9A9BA42D99BE32D26667060BE1D523DCD20EAFA187A67F7919002CC6DA349FD058053C9C6F721D6FDB730EA02FBAA3013E51C0C653368BD6B3F57A4C0FCABA8
Malicious:	true
Preview:	C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4926
Entropy (8bit):	3.2467809882852334
Encrypted:	false
SSDEEP:	48:FaqdF78F7B+AAHdKoqKFxcxkFiF7KaqdF74v+AAHdKoqKFxcxkFj:cEOB+AAsoJjykePE4+AAsoJjyk5
MD5:	9DC82B21F9832530E684C5F84148939C
SHA1:	9E547BBDC2BE8A3747E410D54DE5546C813BEA2A
SHA-256:	0CFB4B3BB4991730019DE86027EE35E69B4835FF39C1B6A3C9800C2B79959C3F
SHA-512:	DA6BB1385973BB271D6DE633CFB7121B6A66A82EFF7FBCE8C9F668775853FCC60E16CFAB89C055571AD7072C0387B02B954534AC0DEC1D4C935FE05ECC1D0272
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {B54FEEA7-07D2-4A02-96E4-0A412A2D9E16}, Number of Words: 2, Subject: ToDesk_Setup, Author: ToDesk_Setup, Name of Creating Application: ToDesk_Setup, Template: ;2052, Comments: Installer ToDesk_Setup , Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.992916496546297
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	T0pdaslk-guangwang-winelkxcac-64.msi
File size:	95'763'456 bytes
MD5:	09fc3a5af26388a6909a2b0643ad644e
SHA1:	83423788bb21f3a47e02f89d3e604bf135f42080
SHA256:	0c8017e92fd56f96da5b8f01c219d4a90f80da94b360c59ce81618c9df55c88b
SHA512:	d2ecba8fa969ef25f0cd970090147ab95505b65a7f44f1c42b4bcccc3cb5a72db2d8d49ed04b21075657dadaa8920d5ef934fd41bb235d701606a41e166e923e
SSDEEP:	1572864:bnYoF8GzRDf3KGtWRmnNt3T6AkczyKEjIJnPxPsbtTHQWv3i/B5E:bTF8Gt2I9NtmYyKEjIZJPE9QWvSp
TLSH:	CE283331F1766D99E62F67BFA0A85FC88430BC90771BDEA763783FA149B16861071903
File Content Preview:	........................>...........................................#...........f.......?......................................................................................................................................................................

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 21, 2025 21:13:37.220143080 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:37.225507975 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:37.225621939 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:40.640151024 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:40.645397902 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:40.645437956 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:40.645451069 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:40.645543098 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:41.193378925 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:41.243555069 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:41.713567019 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:41.718693972 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:41.718732119 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:41.718751907 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:41.718763113 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:41.718796968 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:41.723843098 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.257803917 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.257847071 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.257879972 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.257903099 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:42.264161110 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:42.269335032 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.269366980 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.269398928 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.587505102 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.587584972 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.587620974 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.587654114 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:42.587655067 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.587701082 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.587709904 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:42.587712049 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:42.587769032 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.255430937 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.255491018 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.255527020 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.255556107 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.255579948 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.255615950 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.255634069 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.255980968 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.255992889 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.256047964 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.256053925 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.256082058 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.256104946 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.256118059 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.256213903 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.256957054 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.257000923 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.257045031 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.257056952 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.257349968 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.257411003 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.257448912 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.257524014 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.257543087 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.257564068 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.257590055 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.257625103 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.705029011 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705115080 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705156088 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705190897 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705224037 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705224991 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.705256939 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.705257893 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705295086 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705317020 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.705370903 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705426931 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705429077 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:43.705461025 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705495119 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:43.705568075 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:44.372838020 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:44.372906923 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:44.372931957 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:44.372955084 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:44.372977972 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:44.372978926 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:44.373002052 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:44.373020887 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:44.373049021 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:44.821891069 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:44.821934938 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:44.821970940 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:44.821997881 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:44.822026968 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:44.822076082 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:45.489243031 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:45.489373922 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:45.489411116 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:45.489435911 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:45.489447117 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:45.489480972 CET	4433	49909	47.238.100.22	192.168.2.16
Feb 21, 2025 21:13:45.489495993 CET	49909	4433	192.168.2.16	47.238.100.22
Feb 21, 2025 21:13:45.489520073 CET	4433	49909	47.238.100.22	192.168.2.16

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 21, 2025 21:14:00.179972887 CET	49382	53	192.168.2.16	1.1.1.1
Feb 21, 2025 21:14:00.236278057 CET	53	49382	1.1.1.1	192.168.2.16
Feb 21, 2025 21:14:01.897497892 CET	62508	53	192.168.2.16	1.1.1.1
Feb 21, 2025 21:14:01.905682087 CET	53	62508	1.1.1.1	192.168.2.16
Feb 21, 2025 21:14:26.954314947 CET	57373	53	192.168.2.16	1.1.1.1
Feb 21, 2025 21:14:27.002777100 CET	53	57373	1.1.1.1	192.168.2.16
Feb 21, 2025 21:14:52.990061045 CET	64226	53	192.168.2.16	1.1.1.1
Feb 21, 2025 21:14:53.147459030 CET	53	64226	1.1.1.1	192.168.2.16
Feb 21, 2025 21:14:59.109533072 CET	58921	53	192.168.2.16	1.1.1.1
Feb 21, 2025 21:14:59.271090984 CET	53	58921	1.1.1.1	192.168.2.16
Feb 21, 2025 21:15:17.099879980 CET	52280	53	192.168.2.16	1.1.1.1
Feb 21, 2025 21:15:17.419904947 CET	53	52280	1.1.1.1	192.168.2.16

Target ID:	0
Start time:	15:12:51
Start date:	21/02/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff62c440000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	1
Start time:	15:12:52
Start date:	21/02/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\T0pdaslk-guangwang-winelkxcac-64.msi"
Imagebase:	0x7ff6a3e60000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	15:12:58
Start date:	21/02/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff62c440000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	15:13:09
Start date:	21/02/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 1D978FC4728A444D05DF5DFC6F0CB94A
Imagebase:	0xcb0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	15:13:17
Start date:	21/02/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\MsiExec.exe -Embedding A42AD45622494486CAE464114BFDCC7F
Imagebase:	0x7ff6a3e60000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	15:13:23
Start date:	21/02/2025
Path:	C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\Microsoft_Xtools.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\E18E9999-38FB-4B56-A9DC-92053E34C6FB\\Microsoft_Xtools.exe"
Imagebase:	0x7ff6d9ed0000
File size:	4'675'512 bytes
MD5 hash:	9980BA3F5506EF42212CF1D44C66757D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000D.00000002.1586294361.000001EADCDE4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000D.00000002.1587648854.000001EADE820000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	true

Target ID:	14
Start time:	15:13:26
Start date:	21/02/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff71ebd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000E.00000003.2019014454.000000000C199000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Target ID:	18
Start time:	15:13:27
Start date:	21/02/2025
Path:	C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe"
Imagebase:	0x400000
File size:	88'336'056 bytes
MD5 hash:	C352B397CC1BF792AE368F562AAA19BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	19
Start time:	15:13:30
Start date:	21/02/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\windows\explorer.exe
Imagebase:	0x7ff71ebd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000013.00000002.2496852197.0000000000880000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000013.00000002.2460978525.0000000000420000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Target ID:	20
Start time:	15:13:32
Start date:	21/02/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c sc stop ToDesk_Service
Imagebase:	0xf20000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	15:13:33
Start date:	21/02/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c sc delete ToDesk_Service
Imagebase:	0xf20000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	35
Start time:	15:13:40
Start date:	21/02/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall delete rule name="ToDesk_Service"
Imagebase:	0x1470000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	37
Start time:	15:13:41
Start date:	21/02/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall delete rule name="ToDesk_Session"
Imagebase:	0x1470000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	39
Start time:	15:13:43
Start date:	21/02/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name="ToDesk" dir=in program="C:\Program Files\ToDesk\ToDesk.exe" edge=yes action=allow
Imagebase:	0x1470000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report T0pdaslk-guangwang-winelkxcac-64.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\4cdca3.rbs

C:\Program Files (x86)\ToDesk_Setup\ToDesk_Setup\ToDesk_Setup.exe

C:\Program Files\ToDesk\CrashReport.exe

C:\Program Files\ToDesk\Logs\servicexejnqytw_2025_02_21.log

C:\Program Files\ToDesk\ToDesk.exe

C:\Program Files\ToDesk\config.ini

C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.inf

C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys

C:\Program Files\ToDesk\drivers\cameramic\devcon.exe

C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat

C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll

C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll

C:\Program Files\ToDesk\drivers\tdgamepad\TdGamePad.inf

C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys

Windows Analysis Report
T0pdaslk-guangwang-winelkxcac-64.msi

Target ID:	43
Start time:	15:13:44
Start date:	21/02/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name="ToDesk_Service" dir=in program="C:\Program Files\ToDesk\ToDesk_Service.exe" edge=yes action=allow
Imagebase:	0x1470000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	47
Start time:	15:13:45
Start date:	21/02/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name="ToDesk_Session" dir=in program="C:\Program Files\ToDesk\ToDesk_Session.exe" edge=yes action=allow
Imagebase:	0x1470000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	51
Start time:	15:13:46
Start date:	21/02/2025
Path:	C:\Program Files\ToDesk\ToDesk.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\ToDesk\ToDesk.exe"
Imagebase:	0x7ff6f9b60000
File size:	51'634'120 bytes
MD5 hash:	461C4140E0A097BFFE2EE4B8991AAB3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Target ID:	52
Start time:	15:13:58
Start date:	21/02/2025
Path:	C:\Program Files\ToDesk\ToDesk.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\ToDesk\ToDesk.exe" --runservice
Imagebase:	0x7ff6f9b60000
File size:	51'634'120 bytes
MD5 hash:	461C4140E0A097BFFE2EE4B8991AAB3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	55
Start time:	15:14:00
Start date:	21/02/2025
Path:	C:\Program Files\ToDesk\ToDesk.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600
Imagebase:	0x7ff6f9b60000
File size:	51'634'120 bytes
MD5 hash:	461C4140E0A097BFFE2EE4B8991AAB3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	56
Start time:	15:14:27
Start date:	21/02/2025
Path:	C:\Program Files\ToDesk\ToDesk.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\ToDesk\ToDesk.exe"
Imagebase:	0x7ff6f9b60000
File size:	51'634'120 bytes
MD5 hash:	461C4140E0A097BFFE2EE4B8991AAB3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	58
Start time:	15:14:30
Start date:	21/02/2025
Path:	C:\Program Files\ToDesk\ToDesk.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\ToDesk\ToDesk.exe" --runadmin=true
Imagebase:	0x7ff6f9b60000
File size:	51'634'120 bytes
MD5 hash:	461C4140E0A097BFFE2EE4B8991AAB3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre