Malware Analysis Report

2024-09-23 06:58

Sample ID 221121-pz7peaec9y
Target rdpclient.exe
SHA256 d4b81ee9f7f012676c701b3ef9f98a6d6f224db9501ea40cc4fd5991844fe723
Tags
azov persistence ransomware spyware stealer wiper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4b81ee9f7f012676c701b3ef9f98a6d6f224db9501ea40cc4fd5991844fe723

Threat Level: Known bad

The file rdpclient.exe was found to be: Known bad.

Malicious Activity Summary

azov persistence ransomware spyware stealer wiper

Azov

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-11-21 12:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-21 12:47

Reported

2022-11-21 12:49

Platform

win7-20221111-en

Max time kernel

149s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Signatures

Azov

ransomware wiper azov

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\EnableRead.crw => C:\Users\Admin\Pictures\EnableRead.crw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\ExitTest.raw => C:\Users\Admin\Pictures\ExitTest.raw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\RegisterGroup.raw => C:\Users\Admin\Pictures\RegisterGroup.raw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\RenameCopy.crw => C:\Users\Admin\Pictures\RenameCopy.crw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeApprove.tiff C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeApprove.tiff => C:\Users\Admin\Pictures\ResumeApprove.tiff.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File renamed C:\Users\Admin\Pictures\UndoRestore.crw => C:\Users\Admin\Pictures\UndoRestore.crw.azov C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Origin.thmx C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229389.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21344_.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099163.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7 C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMARQ.XML C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18212_.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\RSSFeeds.css C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WSIDBR98.POC C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD.DPV C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Common Files\System\de-DE\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Riga C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01169_.WMF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files (x86)\Windows Media Player\fr-FR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rdpclient.exe

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Network

N/A

Files

memory/1328-54-0x0000000000290000-0x0000000000294000-memory.dmp

memory/1328-55-0x000000013FD40000-0x000000013FD57000-memory.dmp

memory/1328-58-0x0000000000290000-0x0000000000294000-memory.dmp

memory/1328-57-0x0000000000100000-0x0000000000105000-memory.dmp

memory/1328-56-0x00000000000E0000-0x00000000000E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-21 12:47

Reported

2022-11-21 12:49

Platform

win10v2004-20221111-en

Max time kernel

154s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Signatures

Azov

ransomware wiper azov

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\CompressEnable.mp4v C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sk.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklist C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ko-KR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\it.pak C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-actions.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png C:\Users\Admin\AppData\Local\Temp\rdpclient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rdpclient.exe

"C:\Users\Admin\AppData\Local\Temp\rdpclient.exe"

Network

Country Destination Domain Proto
N/A 8.248.7.254:80 tcp
N/A 87.248.202.1:80 tcp
N/A 20.190.159.75:443 tcp
N/A 93.184.220.29:80 tcp
N/A 8.248.7.254:80 tcp
N/A 8.247.211.126:80 tcp
N/A 52.242.97.97:443 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
N/A 8.248.99.254:80 tcp
N/A 8.248.99.254:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp

Files

memory/3656-132-0x0000018F932D0000-0x0000018F932D4000-memory.dmp

memory/3656-133-0x00007FF796460000-0x00007FF796477000-memory.dmp

memory/3656-136-0x0000018F932D0000-0x0000018F932D4000-memory.dmp

memory/3656-135-0x0000018F932C0000-0x0000018F932C5000-memory.dmp

memory/3656-134-0x0000018F932A0000-0x0000018F932A7000-memory.dmp