plugx | 3771d6a0594a42845193f182b177151b295e458f17749e74ae5a5320210a2fe8

Resubmissions

30-12-2024 19:54

241230-ymjw9ayme1 10

24-09-2024 08:26

240924-kcchja1cla 10

19-09-2024 16:17

240919-trjptsybql 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToDesk_x64_4.7.4.8.exe
Size

56.3MB
MD5

e43eaf8183e538eb28e5dfd31ba074bc
SHA1

4d90bca79dbb3994fc1cf99921b1942520bee490
SHA256

3771d6a0594a42845193f182b177151b295e458f17749e74ae5a5320210a2fe8
SHA512

d43c32749ff1db235f063cc071c33af41dde25fd1c92d1fb670ad8ee0c5b7ab24f172138d7a18b0f61d9e4e959d4b765965ca3e38f0aa9cbb4e51125d6de70a5
SSDEEP

1572864:A4959RiO7XJ5d5crS8/JruPXzKgz5zejq4/OiV0xNnw:lT7XJ5gTJrOzKs5y//OiVwZw

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 23 IoCs

resource	yara_rule
behavioral2/memory/4220-126-0x0000000000C50000-0x0000000000C8A000-memory.dmp	family_plugx
behavioral2/memory/2116-127-0x00000000013B0000-0x00000000013EA000-memory.dmp	family_plugx
behavioral2/memory/2936-141-0x00000000017C0000-0x00000000017FA000-memory.dmp	family_plugx
behavioral2/memory/2864-159-0x0000000000C80000-0x0000000000CBA000-memory.dmp	family_plugx
behavioral2/memory/2936-163-0x00000000017C0000-0x00000000017FA000-memory.dmp	family_plugx
behavioral2/memory/2864-164-0x0000000000C80000-0x0000000000CBA000-memory.dmp	family_plugx
behavioral2/memory/4220-166-0x0000000000C50000-0x0000000000C8A000-memory.dmp	family_plugx
behavioral2/memory/2864-161-0x0000000000C80000-0x0000000000CBA000-memory.dmp	family_plugx
behavioral2/memory/2864-160-0x0000000000C80000-0x0000000000CBA000-memory.dmp	family_plugx
behavioral2/memory/2864-148-0x0000000000C80000-0x0000000000CBA000-memory.dmp	family_plugx
behavioral2/memory/2864-145-0x0000000000C80000-0x0000000000CBA000-memory.dmp	family_plugx
behavioral2/memory/2116-176-0x00000000013B0000-0x00000000013EA000-memory.dmp	family_plugx
behavioral2/memory/1932-182-0x0000000002210000-0x000000000224A000-memory.dmp	family_plugx
behavioral2/memory/1932-181-0x0000000002210000-0x000000000224A000-memory.dmp	family_plugx
behavioral2/memory/1932-183-0x0000000002210000-0x000000000224A000-memory.dmp	family_plugx
behavioral2/memory/1932-179-0x0000000002210000-0x000000000224A000-memory.dmp	family_plugx
behavioral2/memory/2864-496-0x0000000000C80000-0x0000000000CBA000-memory.dmp	family_plugx
behavioral2/memory/1932-497-0x0000000002210000-0x000000000224A000-memory.dmp	family_plugx
behavioral2/memory/2864-631-0x0000000000C80000-0x0000000000CBA000-memory.dmp	family_plugx
behavioral2/memory/1932-632-0x0000000002210000-0x000000000224A000-memory.dmp	family_plugx
behavioral2/memory/1932-633-0x0000000002210000-0x000000000224A000-memory.dmp	family_plugx
behavioral2/memory/1932-639-0x0000000002210000-0x000000000224A000-memory.dmp	family_plugx
behavioral2/memory/2864-640-0x0000000000C80000-0x0000000000CBA000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 6 IoCs

pid	Process
4220	wmicode.exe
5048	ToDesk.exe
2936	SxS.exe
4976	ToDesk.exe
3708	ToDesk.exe
752	ToDesk.exe

Loads dropped DLL 18 IoCs

pid	Process
1424	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
4604	MsiExec.exe
4604	MsiExec.exe
4604	MsiExec.exe
4604	MsiExec.exe
4604	MsiExec.exe
4604	MsiExec.exe
4220	wmicode.exe
2936	SxS.exe
5048	ToDesk.exe
4976	ToDesk.exe
3708	ToDesk.exe
752	ToDesk.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\V:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\L:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\S:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\O:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\T:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\P:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\Y:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\X:	ToDesk_x64_4.7.4.8.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	ToDesk_x64_4.7.4.8.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.sys	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\tdgamepad\TdGamepad.sys	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\tdscreen\tdidd.cat	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.inf	msiexec.exe
File opened for modification	C:\Program Files\ToDesk\config.ini	ToDesk.exe
File opened for modification	C:\Program Files\ToDesk\Logs\servicejefluxuy_2024_09_24.log	ToDesk.exe
File created	C:\Program Files\ToDesk\drivers\cameramic\ToDeskAudio.inf	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x64.dll	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\tdgamepad\TdGamePad.inf	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\tdscreen\devcon.exe	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.inf	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\cameramic\virtual_camera_x86.dll	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\tdgamepad\tdgamepad.cat	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\vhid\todeskvhid.cat	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\vhid\TodeskVhid.dll	msiexec.exe
File created	C:\Program Files\ToDesk\CrashReport.exe	msiexec.exe
File created	C:\Program Files\ToDesk\uninst.exe	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\vhid\devcon.exe	msiexec.exe
File created	C:\Program Files\ToDesk\mmkv.default	msiexec.exe
File created	C:\Program Files\ToDesk\zrtc.dll	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\cameramic\devcon.exe	msiexec.exe
File created	C:\Program Files\ToDesk\Tools\wmicodegen.dll	msiexec.exe
File created	C:\Program Files\ToDesk\mmkv.default.crc	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\cameramic\todeskaudio.cat	msiexec.exe
File created	C:\Program Files\ToDesk\drivers\tdgamepad\devcon.exe	msiexec.exe
File created	C:\Program Files\ToDesk\Tools\wmicode.exe	msiexec.exe
File created	C:\Program Files\ToDesk\Tools\wmidll.dat	msiexec.exe
File opened for modification	C:\Program Files\ToDesk\Logs\zrtcservicezawbwlgp_2024_09_24.log	ToDesk.exe
File created	C:\Program Files\ToDesk\drivers\tdscreen\tdIdd.dll	msiexec.exe
File created	C:\Program Files\ToDesk\ToDesk.exe	msiexec.exe
File created	C:\Program Files\ToDesk\config.ini	ToDesk.exe
File opened for modification	C:\Program Files\ToDesk\Logs\sdkserviceebsoxmtc_2024_09_24.log	ToDesk.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC15.tmp	msiexec.exe
File created	C:\Windows\Installer\{FF125C97-8FCC-41C8-8BD8-0F17A4F0E431}\ToDesk.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{FF125C97-8FCC-41C8-8BD8-0F17A4F0E431}\ToDesk.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB19.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB87.tmp	msiexec.exe
File created	C:\Windows\Installer\e580983.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FF125C97-8FCC-41C8-8BD8-0F17A4F0E431}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9D.tmp	msiexec.exe
File created	C:\Windows\Installer\e580981.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e580981.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ToDesk_x64_4.7.4.8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SxS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmicode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000532ba7f3274a467a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000532ba7f30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900532ba7f3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d532ba7f3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000532ba7f300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ	svchost.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\Version = "67633156"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\55618446287AA11419168EF299B11EAC	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\55618446287AA11419168EF299B11EAC\79C521FFCCF88C14B88DF0714A0F4E13	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\SourceList\PackageName = "ToDesk.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Hainan YouQu Technology Co., Ltd\\ToDesk 4.8.4.8\\install\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 41004400390041004500420034004100440038003600320043004600430043000000	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\79C521FFCCF88C14B88DF0714A0F4E13\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\PackageCode = "DA87031E272071245AB56D28732B7604"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Hainan YouQu Technology Co., Ltd\\ToDesk 4.8.4.8\\install\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\79C521FFCCF88C14B88DF0714A0F4E13	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79C521FFCCF88C14B88DF0714A0F4E13\ProductName = "ToDesk"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
752	ToDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4716	msiexec.exe
4716	msiexec.exe
4220	wmicode.exe
4220	wmicode.exe
2116	svchost.exe
2116	svchost.exe
2936	SxS.exe
2936	SxS.exe
2936	SxS.exe
2936	SxS.exe
2864	svchost.exe
2864	svchost.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
2864	svchost.exe
2864	svchost.exe
1932	msiexec.exe
1932	msiexec.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
4976	ToDesk.exe
1932	msiexec.exe
1932	msiexec.exe
4976	ToDesk.exe
4976	ToDesk.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2864	svchost.exe
1932	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4716	msiexec.exe
Token: SeCreateTokenPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeAssignPrimaryTokenPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeLockMemoryPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeIncreaseQuotaPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeMachineAccountPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeTcbPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeSecurityPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeTakeOwnershipPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeLoadDriverPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeSystemProfilePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeSystemtimePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeProfSingleProcessPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeIncBasePriorityPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeCreatePagefilePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeCreatePermanentPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeBackupPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeRestorePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeShutdownPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeDebugPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeAuditPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeSystemEnvironmentPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeChangeNotifyPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeRemoteShutdownPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeUndockPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeSyncAgentPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeEnableDelegationPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeManageVolumePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeImpersonatePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeCreateGlobalPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeCreateTokenPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeAssignPrimaryTokenPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeLockMemoryPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeIncreaseQuotaPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeMachineAccountPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeTcbPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeSecurityPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeTakeOwnershipPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeLoadDriverPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeSystemProfilePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeSystemtimePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeProfSingleProcessPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeIncBasePriorityPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeCreatePagefilePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeCreatePermanentPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeBackupPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeRestorePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeShutdownPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeDebugPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeAuditPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeSystemEnvironmentPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeChangeNotifyPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeRemoteShutdownPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeUndockPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeSyncAgentPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeEnableDelegationPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeManageVolumePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeImpersonatePrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeCreateGlobalPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeCreateTokenPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeAssignPrimaryTokenPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeLockMemoryPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeIncreaseQuotaPrivilege	4140	ToDesk_x64_4.7.4.8.exe
Token: SeMachineAccountPrivilege	4140	ToDesk_x64_4.7.4.8.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4140	ToDesk_x64_4.7.4.8.exe
2804	msiexec.exe
752	ToDesk.exe
752	ToDesk.exe
2804	msiexec.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
752	ToDesk.exe
752	ToDesk.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5048	ToDesk.exe
4976	ToDesk.exe
3708	ToDesk.exe
752	ToDesk.exe
752	ToDesk.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1424	4716	msiexec.exe	84
PID 4716 wrote to memory of 1424	4716	msiexec.exe	84
PID 4716 wrote to memory of 1424	4716	msiexec.exe	84
PID 4140 wrote to memory of 2804	4140	ToDesk_x64_4.7.4.8.exe	85
PID 4140 wrote to memory of 2804	4140	ToDesk_x64_4.7.4.8.exe	85
PID 4140 wrote to memory of 2804	4140	ToDesk_x64_4.7.4.8.exe	85
PID 4716 wrote to memory of 1780	4716	msiexec.exe	86
PID 4716 wrote to memory of 1780	4716	msiexec.exe	86
PID 4716 wrote to memory of 1780	4716	msiexec.exe	86
PID 4716 wrote to memory of 4984	4716	msiexec.exe	97
PID 4716 wrote to memory of 4984	4716	msiexec.exe	97
PID 4716 wrote to memory of 4604	4716	msiexec.exe	99
PID 4716 wrote to memory of 4604	4716	msiexec.exe	99
PID 4716 wrote to memory of 4604	4716	msiexec.exe	99
PID 4716 wrote to memory of 4220	4716	msiexec.exe	101
PID 4716 wrote to memory of 4220	4716	msiexec.exe	101
PID 4716 wrote to memory of 4220	4716	msiexec.exe	101
PID 4220 wrote to memory of 2116	4220	wmicode.exe	103
PID 4220 wrote to memory of 2116	4220	wmicode.exe	103
PID 4220 wrote to memory of 2116	4220	wmicode.exe	103
PID 4220 wrote to memory of 2116	4220	wmicode.exe	103
PID 4220 wrote to memory of 2116	4220	wmicode.exe	103
PID 4220 wrote to memory of 2116	4220	wmicode.exe	103
PID 4220 wrote to memory of 2116	4220	wmicode.exe	103
PID 4220 wrote to memory of 2116	4220	wmicode.exe	103
PID 4716 wrote to memory of 5048	4716	msiexec.exe	100
PID 4716 wrote to memory of 5048	4716	msiexec.exe	100
PID 2936 wrote to memory of 2864	2936	SxS.exe	105
PID 2936 wrote to memory of 2864	2936	SxS.exe	105
PID 2936 wrote to memory of 2864	2936	SxS.exe	105
PID 2936 wrote to memory of 2864	2936	SxS.exe	105
PID 2936 wrote to memory of 2864	2936	SxS.exe	105
PID 2936 wrote to memory of 2864	2936	SxS.exe	105
PID 2936 wrote to memory of 2864	2936	SxS.exe	105
PID 2936 wrote to memory of 2864	2936	SxS.exe	105
PID 4976 wrote to memory of 3708	4976	ToDesk.exe	109
PID 4976 wrote to memory of 3708	4976	ToDesk.exe	109
PID 2864 wrote to memory of 1932	2864	svchost.exe	111
PID 2864 wrote to memory of 1932	2864	svchost.exe	111
PID 2864 wrote to memory of 1932	2864	svchost.exe	111
PID 2864 wrote to memory of 1932	2864	svchost.exe	111
PID 2864 wrote to memory of 1932	2864	svchost.exe	111
PID 2864 wrote to memory of 1932	2864	svchost.exe	111
PID 2864 wrote to memory of 1932	2864	svchost.exe	111
PID 2864 wrote to memory of 1932	2864	svchost.exe	111
PID 4976 wrote to memory of 752	4976	ToDesk.exe	112
PID 4976 wrote to memory of 752	4976	ToDesk.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ToDesk_x64_4.7.4.8.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk_x64_4.7.4.8.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Hainan YouQu Technology Co., Ltd\ToDesk 4.8.4.8\install\ToDesk.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ToDesk_x64_4.7.4.8.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2804

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB6F7258365866290DA4187FC19845D6 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3BCE7360D3F72066EB2F52B73FBB10C4 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1780
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B7D79AE098C3CB947F2EF6FA4873A841
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4604
- C:\Program Files\ToDesk\ToDesk.exe
  "C:\Program Files\ToDesk\ToDesk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5048
- C:\Program Files\ToDesk\Tools\wmicode.exe
  "C:\Program Files\ToDesk\Tools\wmicode.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe 100 4220
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1384

C:\ProgramData\NVIDIASmart\SxS.exe
"C:\ProgramData\NVIDIASmart\SxS.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe 201 0
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2864
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1932

C:\Program Files\ToDesk\ToDesk.exe
"C:\Program Files\ToDesk\ToDesk.exe" --runservice
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files\ToDesk\ToDesk.exe
  "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3708
- C:\Program Files\ToDesk\ToDesk.exe
  "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e580982.rbs

Filesize
12KB

MD5
ff85c09751c0cc784bc87f4388755fc7

SHA1
47d8b6865b1b845561b86ad7b9d7f7d27d78b557

SHA256
702221fd66b493f32900e8f7cd9247fc72cecc7bc14964948e9f28ec9556dd11

SHA512
ac6237009ee2ac13d070e1a7dea7fe331e35d14bec0b83d037ace3730e04077c9dbff704d1eb641ac8f3496ef3c55ff363278744e53fe0e3c3b1743608e22e3f

Download Submit
C:\Program Files\ToDesk\ToDesk.exe

Filesize
48.4MB

MD5
85b8e15b90d8bf333f0d49c11db9b1b0

SHA1
70ab7088257b0121a8e39dcab2a3846923f62ac0

SHA256
a9e56ee892beb3e0be3f2d412a2b4448c5a41b28fe2a15a40798faa119d4025c

SHA512
844b924351752992758d881f328176f4329f8f9182ced686e51fa1fe3413b8ea3f507eac031b997b07b8886cb978655443bd6da1c018181f25ca73d4e035f64b

Download Submit
C:\Program Files\ToDesk\Tools\wmicode.exe

Filesize
122KB

MD5
d771741bb33ab0f2f364fd10e486df33

SHA1
fbb4d03ab6582627d341f76956fe995c182c98b1

SHA256
d5d9fefd7a79ba0c121ba76d0cd51f9520effc490424978bd341f130ec835455

SHA512
41f089d7ca755a385f68a65105e2aee0c9a34df03911746d59266db42bf3bf74372b168cebc40b034975ffe86dea93929e3a42155076bd8dcfbbefca78ba075e

Download Submit
C:\Program Files\ToDesk\Tools\wmicodegen.dll

Filesize
9KB

MD5
cf23d084f48349158cb8f837a02369bd

SHA1
bf2d8cee1ecbf85c29ab1ef4f157eebfb91f79e4

SHA256
c9f2fd4ffc334d6e952b04b2d799714d034d6696dcff18c39f7e597ab9279451

SHA512
48624f2e085dee127dc3499465ac1500d1daa8759e705af24a6f8dcfc417929a47ef973a62b79065312a2e5cda35819ef81c3fd98e62ea48c4db993943da545e

Download Submit
C:\Program Files\ToDesk\Tools\wmidll.dat

Filesize
130KB

MD5
b1231c5483c4e1ac2e4832047364355d

SHA1
37b697dbee932d6cfc813ef91a8014c129df44e7

SHA256
19795c19808560ea7f8595c77bf00f6db848479469ee9255bd80ee564e34867b

SHA512
edee0b31b1b391baeba69bfec883de659a7aec9cf33c46d88dbbb389b9ebbf07ee4d4fcc8acd13ca611c8c16bdbd3b015834577f0b8f6dc55ab7315b6051df62

Download Submit
C:\Program Files\ToDesk\config.ini

Filesize
246B

MD5
1fb21dec1eab011e11f0ee96bbfdbde7

SHA1
525ced805f78094f574f9f1be30ebfa31599e5ce

SHA256
3a18b3362aeb88a159738f8de22ee238484bd65e3cba6449dd5dedc8861034c9

SHA512
285d6e3e6e8278ce2cf566849d320b641f3124e782cfec7f406b6d9ad190034defb8898580e6782f0553159ee5a1bfa9d3b0115a3d24b38cf181fc2451b2524d

Download Submit
C:\Program Files\ToDesk\config.ini

Filesize
394B

MD5
50246acdb5cca01a786b749fcc32125a

SHA1
6c48ca2feb83ab75a456f49c5c74062e6b8b6cab

SHA256
b14e922d7a97fa0ba033815d64bc23a43739ac016b5899a464e45db709c7d18b

SHA512
688dd602448376411b64074eebc2801959cb90270aeed3a66c60547b82e2da230b20f64063094f50c1a18b6f7449f2afe107f9a7cadc78ca008b58fe360e1902

Download Submit
C:\Program Files\ToDesk\config.ini

Filesize
529B

MD5
a55f7e6d5d878f22b329e5046a854f4d

SHA1
cefc772368646f5658f91399c2afbce14134134d

SHA256
30f1080fc72608f618bfafc744e23a347ee592d485e7794842dca831d5d9af00

SHA512
677d0e3d2d0a55b3da2b492501ee36dad551d7b941ba7209b13894c280c30de89b14d33347d75fb4d766a3be7aeb6afc136a1ec05b5cf8977dbcbdec0da2d15a

Download Submit
C:\Program Files\ToDesk\config.ini

Filesize
589B

MD5
b64657a2f685b9d25da64fca959de108

SHA1
05d1f5cb0b0895291001f03f801b9b52b5db063e

SHA256
330c85c8fc2ae5c8ab9427d1308690143e1840082764ed3513b57a897f0e1aba

SHA512
6ea9fe1e4e062785677e71dfa52a1e50db79f37a6e7d930e21bda8194d84ab8ce827119f6ffb98e5a506b6539ce79565c7e7ec0217a8b7d3043df00d73d1b722

Download Submit
C:\Program Files\ToDesk\zrtc.dll

Filesize
49.3MB

MD5
fab94e3b080e8d2dfc21b37278f73eb8

SHA1
73c55c05f53b9ead97a4a6acd497860efc119ca8

SHA256
d3f9c273b420be3ce59a8526d11827009215f559b39291844e3f98d8306c9a69

SHA512
41eb4ddb54e2e8d3e21921c06a83aa0e59cd371eaeda0708cea27a1f42e05df6e5b4aa7f8cef4d6c3185ac71e48a405f2e44c972341a9961ab8e06f91ccc0f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB586.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Roaming\Hainan YouQu Technology Co., Ltd\ToDesk 4.8.4.8\install\ToDesk.msi

Filesize
1.5MB

MD5
fd114784173437f9c5f462c62751fc63

SHA1
a34e669da0342deb4c8fcbb27fb07bf604ee2a26

SHA256
e7e55be0c02d71e4188782471402557e7bbbaab85cdd95dfd08aa5b16a49f6a2

SHA512
086e63466761b326ff1749bffd11a1361c0171a62018e525ae35e7838b15db34b8df32e5abbe5e10f05926eb4ff221531d685c23a84aa4a56d565c178df8b845

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\Installer\MSIB87.tmp

Filesize
566KB

MD5
0e4db22ddc7c96801b65bc13e3a53455

SHA1
775da57600792fb18cd0e9626afc53bb2ba07abf

SHA256
675f7d999bf17ceedcd799bdf1b2fb02cc560cdc18c0609aa92eca0cd3a98961

SHA512
88ddb37880af878eddf7b82c919285dcec6360cea81c3755efeec7d0fb92c4e7ffe96ec654046ec9a4c6f1087d4e95b440b745621921041676bdc170663f3772

Download Submit
C:\Windows\Installer\MSIC15.tmp

Filesize
287KB

MD5
31a4f044c23a648c306df463302c49b5

SHA1
e014c21b4b0f3b054ee3f7b6bbba6b38974ab5da

SHA256
e12b2df53c66e4b3c5073682434fee7b1e070794f79e090ccc8fb803487f3a94

SHA512
e9d5606325a3e3fb371738bef66566f0491d080a5d6208482543f8729cd194d9dc11e3bc3989c3c19f359d3f34da977022b8a6457b6479ce5c51e3bf091a22fc

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
17d27e8a49627b11e6ec60febdacb548

SHA1
5d9f3e7f7db4cdb4c69c5d19d49a9163c5b051c5

SHA256
7ad2be5af2525966ae02c2889ae2acbea96624023948cff8dce3b08373dbcdc7

SHA512
23d4abccea06e56a3aa09c7fd9402be4fb4539cb186505bf24ffa9a4edcde7ad990a42bc9ac13d5c7f0eb3ca4ff8f80082d06dfa727c36087c94169d009adc69

Download Submit
\??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b0062b8f-51fa-4fe4-b61c-cd6b4fbe44bc}_OnDiskSnapshotProp

Filesize
6KB

MD5
2916bd97ece6fcf7edc50897b178619b

SHA1
9b00c4d6fa4af2bd99e34e34268d91b7786f7fae

SHA256
5301f2d2e56a1037e682c51d694f94bd1e76e27403b9ea63e26ec376f6d21812

SHA512
826bc51905dcd043b94c6b84cd4992d895f9bc38e219b6768ab6e3eb88f029663bc73b056f3b5c26c19c22e74f8c997213d5c950c9a4fb4c930637daabca8b76

Download Submit
memory/1932-639-0x0000000002210000-0x000000000224A000-memory.dmp

Filesize
232KB

Download
memory/1932-182-0x0000000002210000-0x000000000224A000-memory.dmp

Filesize
232KB

Download
memory/1932-497-0x0000000002210000-0x000000000224A000-memory.dmp

Filesize
232KB

Download
memory/1932-179-0x0000000002210000-0x000000000224A000-memory.dmp

Filesize
232KB

Download
memory/1932-632-0x0000000002210000-0x000000000224A000-memory.dmp

Filesize
232KB

Download
memory/1932-633-0x0000000002210000-0x000000000224A000-memory.dmp

Filesize
232KB

Download
memory/1932-183-0x0000000002210000-0x000000000224A000-memory.dmp

Filesize
232KB

Download
memory/1932-181-0x0000000002210000-0x000000000224A000-memory.dmp

Filesize
232KB

Download
memory/1932-180-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2116-127-0x00000000013B0000-0x00000000013EA000-memory.dmp

Filesize
232KB

Download
memory/2116-176-0x00000000013B0000-0x00000000013EA000-memory.dmp

Filesize
232KB

Download
memory/2864-159-0x0000000000C80000-0x0000000000CBA000-memory.dmp

Filesize
232KB

Download
memory/2864-145-0x0000000000C80000-0x0000000000CBA000-memory.dmp

Filesize
232KB

Download
memory/2864-158-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2864-148-0x0000000000C80000-0x0000000000CBA000-memory.dmp

Filesize
232KB

Download
memory/2864-160-0x0000000000C80000-0x0000000000CBA000-memory.dmp

Filesize
232KB

Download
memory/2864-161-0x0000000000C80000-0x0000000000CBA000-memory.dmp

Filesize
232KB

Download
memory/2864-640-0x0000000000C80000-0x0000000000CBA000-memory.dmp

Filesize
232KB

Download
memory/2864-496-0x0000000000C80000-0x0000000000CBA000-memory.dmp

Filesize
232KB

Download
memory/2864-164-0x0000000000C80000-0x0000000000CBA000-memory.dmp

Filesize
232KB

Download
memory/2864-631-0x0000000000C80000-0x0000000000CBA000-memory.dmp

Filesize
232KB

Download
memory/2936-163-0x00000000017C0000-0x00000000017FA000-memory.dmp

Filesize
232KB

Download
memory/2936-141-0x00000000017C0000-0x00000000017FA000-memory.dmp

Filesize
232KB

Download
memory/4220-126-0x0000000000C50000-0x0000000000C8A000-memory.dmp

Filesize
232KB

Download
memory/4220-166-0x0000000000C50000-0x0000000000C8A000-memory.dmp

Filesize
232KB

Download