Malware Analysis Report

2024-09-23 06:57

Sample ID 221121-p1rdtaaf67
Target rdpclient.exe
SHA256 f26a427105cba33da30a7e345f398c0808ad350875ff6bc1790b17132a1c0405
Tags
azov persistence ransomware spyware stealer wiper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f26a427105cba33da30a7e345f398c0808ad350875ff6bc1790b17132a1c0405

Threat Level: Known bad

The file rdpclient.exe was found to be: Known bad.

Malicious Activity Summary

azov persistence ransomware spyware stealer wiper

Azov

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-11-21 12:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-21 12:48

Reported

2022-11-21 12:50

Platform

win7-20221111-en

Max time kernel

162s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Signatures

Azov

ransomware wiper azov

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hovd C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.access C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\custom.lua C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\jsse.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\he.pak C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Common Files\System\de-DE\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rdpclient.exe

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Network

N/A

Files

memory/2036-54-0x0000000000110000-0x0000000000114000-memory.dmp

memory/2036-55-0x000000013F9B0000-0x000000013F9C7000-memory.dmp

memory/2036-58-0x0000000000110000-0x0000000000114000-memory.dmp

memory/2036-57-0x0000000000100000-0x0000000000105000-memory.dmp

memory/2036-56-0x00000000000E0000-0x00000000000E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-21 12:48

Reported

2022-11-21 12:50

Platform

win10v2004-20221111-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Signatures

Azov

ransomware wiper azov

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-200.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-400.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_18.svg C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-64.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.ps1 C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_contrast-black.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-4246620582-653642754-1174164128-1000-MergedResources-0.pri C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\example_icons.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_hover_18.svg C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SuccessControl.xaml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rdpclient.exe

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 40.126.31.71:443 tcp
N/A 93.184.221.240:80 tcp
N/A 20.50.73.10:443 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
N/A 8.8.8.8:53 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp

Files

memory/3648-132-0x0000021E947F0000-0x0000021E947F4000-memory.dmp

memory/3648-133-0x00007FF7BBE50000-0x00007FF7BBE67000-memory.dmp

memory/3648-134-0x0000021E947C0000-0x0000021E947C7000-memory.dmp

memory/3648-135-0x0000021E947E0000-0x0000021E947E5000-memory.dmp

memory/3648-136-0x0000021E947F0000-0x0000021E947F4000-memory.dmp