Analysis Overview
SHA256
f26a427105cba33da30a7e345f398c0808ad350875ff6bc1790b17132a1c0405
Threat Level: Known bad
The file rdpclient.exe was found to be: Known bad.
Malicious Activity Summary
Azov
Reads user/profile data of web browsers
Adds Run key to start application
Enumerates connected drives
Drops file in Program Files directory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-21 12:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-21 12:48
Reported
2022-11-21 12:50
Platform
win7-20221111-en
Max time kernel
162s
Max time network
31s
Command Line
Signatures
Azov
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Hovd | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\SIGNUP\install.ins | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\management\jmxremote.access | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\custom.lua | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Windows Media Player\it-IT\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\jsse.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ga.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\he.pak | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Common Files\System\de-DE\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\rdpclient.exe
"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"
Network
Files
memory/2036-54-0x0000000000110000-0x0000000000114000-memory.dmp
memory/2036-55-0x000000013F9B0000-0x000000013F9C7000-memory.dmp
memory/2036-58-0x0000000000110000-0x0000000000114000-memory.dmp
memory/2036-57-0x0000000000100000-0x0000000000105000-memory.dmp
memory/2036-56-0x00000000000E0000-0x00000000000E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-21 12:48
Reported
2022-11-21 12:50
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Azov
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\[email protected] | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-200.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-400.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-24_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_18.svg | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-64.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.ps1 | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-4246620582-653642754-1174164128-1000-MergedResources-0.pri | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\example_icons.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_hover_18.svg | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-72_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SuccessControl.xaml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\rdpclient.exe
"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 40.126.31.71:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 20.50.73.10:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/3648-132-0x0000021E947F0000-0x0000021E947F4000-memory.dmp
memory/3648-133-0x00007FF7BBE50000-0x00007FF7BBE67000-memory.dmp
memory/3648-134-0x0000021E947C0000-0x0000021E947C7000-memory.dmp
memory/3648-135-0x0000021E947E0000-0x0000021E947E5000-memory.dmp
memory/3648-136-0x0000021E947F0000-0x0000021E947F4000-memory.dmp