File name:

远程ToDesk.exe

Full analysis: https://app.any.run/tasks/4c4f92a3-e537-4a4d-9cd9-fa9db68a285d
Verdict: Malicious activity
Analysis date: May 26, 2024, 10:51:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

5A882F2B1D82C84B520C20B497581218

SHA1:

6C65F25E8C4D6E5B33C29D6E66E8BF625E821058

SHA256:

E03603EA96D49B2EF36640F78BEB89FDE5A87B69DE02593A92AE51D21C0B8DFC

SSDEEP:

49152:/jleh85ROUZLAHISqlHttxyymOP+4FbbR/LwIZHYiLGON0drS/oYB4aWJ8p/CPvp:LJrZLCLqlNt4ylJFnR/LVZxj0drS/oYY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 远程ToDesk.exe (PID: 3980)
      • ToDesk_Setup.exe (PID: 2036)

  • SUSPICIOUS

    • Reads the Internet Settings

      • 远程ToDesk.exe (PID: 3980)

    • Reads security settings of Internet Explorer

      • 远程ToDesk.exe (PID: 3980)

    • Executable content was dropped or overwritten

      • ToDesk_Setup.exe (PID: 2036)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • ToDesk_Setup.exe (PID: 2036)

    • The process creates files with name similar to system file names

      • ToDesk_Setup.exe (PID: 2036)

    • Starts application with an unusual extension

      • ToDesk_Setup.exe (PID: 2036)

    • Starts CMD.EXE for commands execution

      • nsD4B9.tmp (PID: 1432)
      • nsD537.tmp (PID: 1628)
      • nsD651.tmp (PID: 1652)
      • nsD6CF.tmp (PID: 768)
      • nsD7DA.tmp (PID: 1944)
      • nsD858.tmp (PID: 1548)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 616)
      • cmd.exe (PID: 1424)
      • cmd.exe (PID: 1792)
      • cmd.exe (PID: 2276)
      • cmd.exe (PID: 660)

    • Process drops legitimate windows executable

      • ToDesk_Setup.exe (PID: 2036)

    • Drops a system driver (possible attempt to evade defenses)

      • ToDesk_Setup.exe (PID: 2036)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • nsE9DE.tmp (PID: 1676)
      • nsEAC9.tmp (PID: 2460)
      • nsE818.tmp (PID: 2256)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • nsEBB5.tmp (PID: 2648)
      • nsED7C.tmp (PID: 2360)
      • nsECA0.tmp (PID: 1888)
      • nsEE67.tmp (PID: 2660)
      • nsEF43.tmp (PID: 2428)
      • nsF02E.tmp (PID: 972)

    • Creates a software uninstall entry

      • ToDesk_Setup.exe (PID: 2036)

    • Executes as Windows Service

      • ToDesk.exe (PID: 2828)

    • Application launched itself

      • ToDesk.exe (PID: 2828)

    • Reads the date of Windows installation

      • ToDesk.exe (PID: 2828)

  • INFO

    • Reads the computer name

      • 远程ToDesk.exe (PID: 3980)
      • wmpnscfg.exe (PID: 4032)
      • ToDesk_Setup.exe (PID: 2036)
      • ToDesk.exe (PID: 2748)
      • ToDesk.exe (PID: 3020)
      • ToDesk.exe (PID: 2868)
      • ToDesk.exe (PID: 2828)

    • Checks supported languages

      • 远程ToDesk.exe (PID: 3980)
      • wmpnscfg.exe (PID: 4032)
      • ToDesk_Setup.exe (PID: 2036)
      • nsD4B9.tmp (PID: 1432)
      • nsD537.tmp (PID: 1628)
      • nsD651.tmp (PID: 1652)
      • nsD6CF.tmp (PID: 768)
      • nsD7DA.tmp (PID: 1944)
      • nsD858.tmp (PID: 1548)
      • nsEAC9.tmp (PID: 2460)
      • nsEBB5.tmp (PID: 2648)
      • nsECA0.tmp (PID: 1888)
      • nsEE67.tmp (PID: 2660)
      • nsED7C.tmp (PID: 2360)
      • nsF02E.tmp (PID: 972)
      • nsEF43.tmp (PID: 2428)
      • nsE818.tmp (PID: 2256)
      • nsE9DE.tmp (PID: 1676)
      • ToDesk.exe (PID: 2828)
      • ToDesk.exe (PID: 2868)
      • ToDesk.exe (PID: 3020)
      • ToDesk.exe (PID: 2748)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4032)

    • Create files in a temporary directory

      • ToDesk_Setup.exe (PID: 2036)

    • Creates files in the program directory

      • ToDesk_Setup.exe (PID: 2036)
      • ToDesk.exe (PID: 2828)

    • Reads the machine GUID from the registry

      • ToDesk.exe (PID: 2748)
      • ToDesk.exe (PID: 2828)
      • ToDesk.exe (PID: 3020)

    • Creates files or folders in the user directory

      • ToDesk.exe (PID: 3020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:09 10:50:33+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 1413120
InitializedDataSize: 126976
UninitializedDataSize: 2019328
EntryPoint: 0x346d40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: ToDesk DownLoader Software
FileVersion: 1, 0, 0, 1
InternalName: ToDesk DownLoader
LegalCopyright: Copyright(C) 2019 - 2023 www.todesk.com. All Right Reserved
OriginalFileName: ToDesk_DownLoader.exe
ProductName: ToDesk DownLoader
ProductVersion: 1, 0, 0, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
95
Monitored processes
44
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 远程todesk.exe wmpnscfg.exe no specs todesk_setup.exe no specs todesk_setup.exe nsd4b9.tmp no specs cmd.exe no specs sc.exe no specs nsd537.tmp no specs cmd.exe no specs sc.exe no specs nsd651.tmp no specs cmd.exe no specs sc.exe no specs nsd6cf.tmp no specs cmd.exe no specs sc.exe no specs nsd7da.tmp no specs cmd.exe no specs sc.exe no specs nsd858.tmp no specs cmd.exe no specs sc.exe no specs nse818.tmp no specs netsh.exe no specs nse9de.tmp no specs netsh.exe no specs nseac9.tmp no specs netsh.exe no specs nsebb5.tmp no specs netsh.exe no specs nseca0.tmp no specs netsh.exe no specs nsed7c.tmp no specs netsh.exe no specs nsee67.tmp no specs netsh.exe no specs nsef43.tmp no specs netsh.exe no specs nsf02e.tmp no specs netsh.exe no specs todesk.exe todesk.exe todesk.exe no specs todesk.exe

Process information

PID
CMD
Path
Indicators
Parent process
324netsh advfirewall firewall delete rule name="ToDesk_Session"C:\Windows\System32\netsh.exensEAC9.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
616cmd.exe /c sc stop ToDesk_ServiceC:\Windows\System32\cmd.exensD651.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
660cmd.exe /c sc delete ToDesk_ServiceC:\Windows\System32\cmd.exensD537.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
692sc stop ToDesk_ServiceC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
728sc delete ToDesk_ServiceC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
768"C:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsD6CF.tmp" cmd.exe /c sc delete ToDesk_ServiceC:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsD6CF.tmpToDesk_Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1060
Modules
Images
c:\users\admin\appdata\local\temp\nsgad1b.tmp\nsd6cf.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
972"C:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsF02E.tmp" netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allowC:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsF02E.tmpToDesk_Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsgad1b.tmp\nsf02e.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1028netsh advfirewall firewall add rule name="ToDesk_Session" dir=out program="C:\Program Files\ToDesk\ToDesk_Session.exe" action=allowC:\Windows\System32\netsh.exensF02E.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1424cmd.exe /c sc delete ToDesk_ServiceC:\Windows\System32\cmd.exensD6CF.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1432"C:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsD4B9.tmp" cmd.exe /c sc stop ToDesk_ServiceC:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsD4B9.tmpToDesk_Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1060
Modules
Images
c:\users\admin\appdata\local\temp\nsgad1b.tmp\nsd4b9.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
12 719
Read events
12 268
Write events
451
Delete events
0

Modification events

(PID) Process:(3980) 远程ToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3980) 远程ToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3980) 远程ToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3980) 远程ToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2036) ToDesk_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\ToDesk
Operation:writeName:InstPath
Value:
C:\Program Files\ToDesk
(PID) Process:(2036) ToDesk_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ToDesk
Operation:writeName:DisplayName
Value:
ToDesk
(PID) Process:(2036) ToDesk_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ToDesk
Operation:writeName:UninstallString
Value:
C:\Program Files\ToDesk\uninst.exe
(PID) Process:(2036) ToDesk_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ToDesk
Operation:writeName:DisplayIcon
Value:
C:\Program Files\ToDesk\ToDesk.exe
(PID) Process:(2036) ToDesk_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ToDesk
Operation:writeName:Publisher
Value:
ToDesk Remote Desktop
(PID) Process:(2036) ToDesk_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ToDesk
Operation:writeName:DisplayVersion
Value:
4.7.2.1
Executable files
35
Suspicious files
14
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3980远程ToDesk.exeC:\Users\admin\Downloads\ToDesk_Setup.exe.tmp
MD5:
SHA256:
3980远程ToDesk.exeC:\Users\admin\Downloads\ToDesk_Setup.exe
MD5:
SHA256:
2036ToDesk_Setup.exeC:\Program Files\ToDesk\ToDesk.exe
MD5:
SHA256:
2036ToDesk_Setup.exeC:\Program Files\ToDesk\zrtc.dll
MD5:
SHA256:
2036ToDesk_Setup.exeC:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\skin.zipcompressed
MD5:8303B45CE651486D9DD2D7BBC597B8DA
SHA256:D354CE56A0D85D1A2930DE79591464C89B272016EB63F626A7FEF36A9D78519A
2036ToDesk_Setup.exeC:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsD4B9.tmpexecutable
MD5:F27689C513E7D12C7C974D5F8EF710D6
SHA256:1F18F4126124B0551F3DBCD0FEC7F34026F930CA509F04435657CEDC32AE8C47
2036ToDesk_Setup.exeC:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsNiuniuSkin.dllexecutable
MD5:BB0CDFF5AC2D64723007A0B4F7962A02
SHA256:33E460A080A621CDA7896E96B6F1BEEE802B485CF99E18B27463CD362C484B08
2036ToDesk_Setup.exeC:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsExec.dllexecutable
MD5:F27689C513E7D12C7C974D5F8EF710D6
SHA256:1F18F4126124B0551F3DBCD0FEC7F34026F930CA509F04435657CEDC32AE8C47
2036ToDesk_Setup.exeC:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsD537.tmpexecutable
MD5:F27689C513E7D12C7C974D5F8EF710D6
SHA256:1F18F4126124B0551F3DBCD0FEC7F34026F930CA509F04435657CEDC32AE8C47
2036ToDesk_Setup.exeC:\Users\admin\AppData\Local\Temp\nsgAD1B.tmp\nsSCM.dllexecutable
MD5:C68ACA71E85B9615C16C45A3437B5558
SHA256:00E701893AF9204D3E9669539BD47FD00E954C5583492B97647EFF7811D55181
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3980
远程ToDesk.exe
43.152.26.104:443
download.todesk.com
ACE
DE
unknown
3980
远程ToDesk.exe
43.152.44.86:443
dl.todesk.com
ACE
DE
unknown
2828
ToDesk.exe
43.135.63.118:443
authds.todesk.com
Tencent Building, Kejizhongyi Avenue
HK
unknown
2828
ToDesk.exe
119.29.125.57:443
st.todesk.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown

DNS requests

Domain
IP
Reputation
download.todesk.com
  • 43.152.26.104
  • 43.152.26.154
  • 43.152.26.151
  • 43.152.26.221
  • 43.152.26.58
  • 43.152.26.142
  • 43.152.26.197
unknown
dl.todesk.com
  • 43.152.44.86
unknown
authds.todesk.com
  • 43.135.63.118
unknown
st.todesk.com
  • 119.29.125.57
  • 42.194.227.184
  • 106.55.223.34
unknown

Threats

No threats detected
Process
Message
远程ToDesk.exe
C:\Users\admin\Downloads\ToDesk_Setup.exe
远程ToDesk.exe
C:\Users\admin\Downloads\
远程ToDesk.exe
C:\Users\admin\Downloads\ToDesk_Setup.exe.tmp
ToDesk_Setup.exe
Window, size, 592,382
ToDesk_Setup.exe
Window, bktrans, true
ToDesk_Setup.exe
Window, caption, 0,0,0,382
ToDesk_Setup.exe
Window, sizebox, 0,0,0,0
ToDesk_Setup.exe
VerticalLayoutUI, align, center
ToDesk_Setup.exe
ButtonUI, text, ??
ToDesk_Setup.exe
ButtonUI, hottextcolor, 0xFFFFFFFF
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
远程ToDesk.exe