Analysis Overview
SHA256
d4b81ee9f7f012676c701b3ef9f98a6d6f224db9501ea40cc4fd5991844fe723
Threat Level: Known bad
The file rdpclient.exe was found to be: Known bad.
Malicious Activity Summary
Azov
Modifies extensions of user files
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Enumerates connected drives
Drops file in Program Files directory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-21 12:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-21 12:47
Reported
2022-11-21 12:49
Platform
win7-20221111-en
Max time kernel
149s
Max time network
34s
Command Line
Signatures
Azov
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\EnableRead.crw => C:\Users\Admin\Pictures\EnableRead.crw.azov | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExitTest.raw => C:\Users\Admin\Pictures\ExitTest.raw.azov | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RegisterGroup.raw => C:\Users\Admin\Pictures\RegisterGroup.raw.azov | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RenameCopy.crw => C:\Users\Admin\Pictures\RenameCopy.crw.azov | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResumeApprove.tiff | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeApprove.tiff => C:\Users\Admin\Pictures\ResumeApprove.tiff.azov | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UndoRestore.crw => C:\Users\Admin\Pictures\UndoRestore.crw.azov | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Origin.thmx | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229389.WMF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21344_.GIF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\[email protected] | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099163.WMF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_K_COL.HXK | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7 | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMARQ.XML | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18212_.WMF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\RSSFeeds.css | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WSIDBR98.POC | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Checkers\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Windows Media Player\de-DE\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD.DPV | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\de-DE\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\el.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Riga | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01169_.WMF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\fr-FR\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_F_COL.HXK | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\rdpclient.exe
"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"
Network
Files
memory/1328-54-0x0000000000290000-0x0000000000294000-memory.dmp
memory/1328-55-0x000000013FD40000-0x000000013FD57000-memory.dmp
memory/1328-58-0x0000000000290000-0x0000000000294000-memory.dmp
memory/1328-57-0x0000000000100000-0x0000000000105000-memory.dmp
memory/1328-56-0x00000000000E0000-0x00000000000E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-21 12:47
Reported
2022-11-21 12:49
Platform
win10v2004-20221111-en
Max time kernel
154s
Max time network
155s
Command Line
Signatures
Azov
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\CompressEnable.mp4v | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\is.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sk.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklist | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\OFFICE16\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sq.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\ko-KR\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\it.pak | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Common Files\System\ado\en-US\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-actions.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png | C:\Users\Admin\AppData\Local\Temp\rdpclient.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\rdpclient.exe
"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.248.7.254:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 20.190.159.75:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.248.7.254:80 | tcp | |
| N/A | 8.247.211.126:80 | tcp | |
| N/A | 52.242.97.97:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp |
Files
memory/3656-132-0x0000018F932D0000-0x0000018F932D4000-memory.dmp
memory/3656-133-0x00007FF796460000-0x00007FF796477000-memory.dmp
memory/3656-136-0x0000018F932D0000-0x0000018F932D4000-memory.dmp
memory/3656-135-0x0000018F932C0000-0x0000018F932C5000-memory.dmp
memory/3656-134-0x0000018F932A0000-0x0000018F932A7000-memory.dmp