Malware Analysis Report

2024-09-23 06:58

Sample ID 221121-p3eg2aag37
Target rdpclient.exe
SHA256 9a952abaa9e8bc4676e2c8e53774d15198e4b9163bebf37a0bc2e238e49f2f98
Tags
azov persistence ransomware spyware stealer wiper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a952abaa9e8bc4676e2c8e53774d15198e4b9163bebf37a0bc2e238e49f2f98

Threat Level: Known bad

The file rdpclient.exe was found to be: Known bad.

Malicious Activity Summary

azov persistence ransomware spyware stealer wiper

Azov

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-11-21 12:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-21 12:50

Reported

2022-11-21 12:53

Platform

win7-20220812-en

Max time kernel

141s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Signatures

Azov

ransomware wiper azov

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\TestSkip.tif => C:\Users\Admin\Pictures\TestSkip.tif.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\ExitClose.png => C:\Users\Admin\Pictures\ExitClose.png.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeSearch.tiff => C:\Users\Admin\Pictures\InvokeSearch.tiff.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\PushInitialize.crw => C:\Users\Admin\Pictures\PushInitialize.crw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveEnter.tiff C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveEnter.tiff => C:\Users\Admin\Pictures\ResolveEnter.tiff.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\SyncLimit.png => C:\Users\Admin\Pictures\SyncLimit.png.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\EnableClose.raw => C:\Users\Admin\Pictures\EnableClose.raw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\OpenRestore.crw => C:\Users\Admin\Pictures\OpenRestore.crw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Users\Admin\Pictures\InvokeSearch.tiff C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveRename.png => C:\Users\Admin\Pictures\ReceiveRename.png.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendGrant.raw => C:\Users\Admin\Pictures\SuspendGrant.raw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromGet.crw => C:\Users\Admin\Pictures\ConvertFromGet.crw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\ReadUndo.crw => C:\Users\Admin\Pictures\ReadUndo.crw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\New_Skins.url C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoBeta.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00546_.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXT C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212299.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Windows Sidebar\en-US\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00116_.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105238.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\BUTTON.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado21.tlb C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02161_.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00633_.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hr.pak C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-4 C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB7.BDR C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DissolveNoise.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099151.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.XML C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rdpclient.exe

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Network

N/A

Files

memory/1896-54-0x0000000000110000-0x0000000000114000-memory.dmp

memory/1896-55-0x000000013FDD0000-0x000000013FDE7000-memory.dmp

memory/1896-58-0x0000000000110000-0x0000000000114000-memory.dmp

memory/1896-57-0x0000000000100000-0x0000000000105000-memory.dmp

memory/1896-56-0x00000000000E0000-0x00000000000E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-21 12:50

Reported

2022-11-21 12:53

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Signatures

Azov

ransomware wiper azov

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_contrast-black.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Flight_Light.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\logger\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Confirmation.m4a C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ChakraBridge.winmd C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\FormatOpen.pps C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\favicon.ico C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\resources.pak C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\Locales\ca.pak C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-80.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Wide.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotx C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.catalog C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\EdgeWebView.dat C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Regular.otf C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1850_20x20x32.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLike.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rdpclient.exe

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Network

Country Destination Domain Proto
N/A 52.109.8.45:443 tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 13.69.239.73:443 tcp

Files

memory/3996-132-0x0000021002D60000-0x0000021002D64000-memory.dmp

memory/3996-133-0x00007FF67FA70000-0x00007FF67FA87000-memory.dmp

memory/3996-134-0x0000021002D30000-0x0000021002D37000-memory.dmp

memory/3996-135-0x0000021002D50000-0x0000021002D55000-memory.dmp

memory/3996-136-0x0000021002D60000-0x0000021002D64000-memory.dmp