agenttesla | ee66a185008549b9ca0c687a78aa6a69e4770dd12cab9dc63d5346c1f570904b

Resubmissions

12/03/2025, 21:32

250312-1dmynatxey 10

11/03/2025, 16:10

250311-tmgdxaxnx4 10

06/03/2025, 02:30

250306-cze8yav1az 10

Analysis

max time kernel
893s
max time network
840s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
Size

482KB
MD5

d5c6afc24d4fff226ae1190fde23e514
SHA1

e342136d49082c798e5da37f27a0bad894e3e4ce
SHA256

51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209
SHA512

4cfa0f5bacd1521792bc3278bd0b25871da1b86afc7e7a243b89cd2a7ccd7119ab013422c1cccad06790e2d5b3885180047684d5a3504d6a1f86ad42aba0a575
SSDEEP

12288:iCMnvQcYyer7in58R3wgG56gtIRQA/wpS:WvgyKG5c45ptIiA/wpS

Score

10^/10

agenttesla collection credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.boydsteamships.com
Port:
587
Username:
[email protected]
Password:
co*tNjEBt4

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

AgentTesla payload 8 IoCs

resource	yara_rule
behavioral11/memory/2808-6-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral11/memory/2808-5-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral11/memory/2808-11-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral11/memory/2808-15-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral11/memory/2808-13-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral11/memory/1060-89-0x0000000000090000-0x00000000000CC000-memory.dmp	family_agenttesla
behavioral11/memory/1060-86-0x0000000000090000-0x00000000000CC000-memory.dmp	family_agenttesla
behavioral11/memory/1060-82-0x0000000000090000-0x00000000000CC000-memory.dmp	family_agenttesla

Executes dropped EXE 30 IoCs

pid	Process
2256	Jedu.exe
2816	Jedu.exe
2672	Jedu.exe
2108	Jedu.exe
960	Jedu.exe
944	Jedu.exe
2324	Jedu.exe
1060	Jedu.exe
2740	Jedu.exe
2068	Jedu.exe
1680	Jedu.exe
2104	Jedu.exe
1936	Jedu.exe
2932	Jedu.exe
284	Jedu.exe
1796	Jedu.exe
1604	Jedu.exe
1152	Jedu.exe
2260	Jedu.exe
2880	Jedu.exe
872	Jedu.exe
640	Jedu.exe
1968	Jedu.exe
2144	Jedu.exe
1704	Jedu.exe
2508	Jedu.exe
2368	Jedu.exe
2584	Jedu.exe
2792	Jedu.exe
568	Jedu.exe

Loads dropped DLL 15 IoCs

pid	Process
2256	Jedu.exe
2672	Jedu.exe
960	Jedu.exe
2324	Jedu.exe
2740	Jedu.exe
1680	Jedu.exe
1936	Jedu.exe
284	Jedu.exe
1604	Jedu.exe
2260	Jedu.exe
872	Jedu.exe
1968	Jedu.exe
1704	Jedu.exe
2368	Jedu.exe
2792	Jedu.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe

Suspicious use of SetThreadContext 16 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2256 set thread context of 2816	2256	Jedu.exe	40
PID 2672 set thread context of 2108	2672	Jedu.exe	48
PID 960 set thread context of 944	960	Jedu.exe	55
PID 2324 set thread context of 1060	2324	Jedu.exe	62
PID 2740 set thread context of 2068	2740	Jedu.exe	69
PID 1680 set thread context of 2104	1680	Jedu.exe	76
PID 1936 set thread context of 2932	1936	Jedu.exe	83
PID 284 set thread context of 1796	284	Jedu.exe	85
PID 1604 set thread context of 1152	1604	Jedu.exe	87
PID 2260 set thread context of 2880	2260	Jedu.exe	94
PID 872 set thread context of 640	872	Jedu.exe	101
PID 1968 set thread context of 2144	1968	Jedu.exe	108
PID 1704 set thread context of 2508	1704	Jedu.exe	115
PID 2368 set thread context of 2584	2368	Jedu.exe	117
PID 2792 set thread context of 568	2792	Jedu.exe	119

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedu.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1092	schtasks.exe
1792	schtasks.exe
2924	schtasks.exe
2620	schtasks.exe
2868	schtasks.exe
2388	schtasks.exe
2736	schtasks.exe
2588	schtasks.exe
2128	schtasks.exe
712	schtasks.exe
2264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2808	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
2808	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
2816	Jedu.exe
2816	Jedu.exe
2108	Jedu.exe
2108	Jedu.exe
944	Jedu.exe
944	Jedu.exe
1060	Jedu.exe
1060	Jedu.exe
2068	Jedu.exe
2068	Jedu.exe
2104	Jedu.exe
2104	Jedu.exe
2932	Jedu.exe
2932	Jedu.exe
1796	Jedu.exe
1796	Jedu.exe
1152	Jedu.exe
1152	Jedu.exe
2880	Jedu.exe
2880	Jedu.exe
640	Jedu.exe
640	Jedu.exe
2144	Jedu.exe
2144	Jedu.exe
2508	Jedu.exe
2508	Jedu.exe
2584	Jedu.exe
2584	Jedu.exe
568	Jedu.exe
568	Jedu.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
Token: SeDebugPrivilege	2808	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
Token: SeDebugPrivilege	2256	Jedu.exe
Token: SeDebugPrivilege	2816	Jedu.exe
Token: SeDebugPrivilege	2672	Jedu.exe
Token: SeDebugPrivilege	2108	Jedu.exe
Token: SeDebugPrivilege	960	Jedu.exe
Token: SeDebugPrivilege	944	Jedu.exe
Token: SeDebugPrivilege	2324	Jedu.exe
Token: SeDebugPrivilege	1060	Jedu.exe
Token: SeDebugPrivilege	2740	Jedu.exe
Token: SeDebugPrivilege	2068	Jedu.exe
Token: SeDebugPrivilege	1680	Jedu.exe
Token: SeDebugPrivilege	2104	Jedu.exe
Token: SeDebugPrivilege	1936	Jedu.exe
Token: SeDebugPrivilege	2932	Jedu.exe
Token: SeDebugPrivilege	284	Jedu.exe
Token: SeDebugPrivilege	1796	Jedu.exe
Token: SeDebugPrivilege	1604	Jedu.exe
Token: SeDebugPrivilege	1152	Jedu.exe
Token: SeDebugPrivilege	2260	Jedu.exe
Token: SeDebugPrivilege	2880	Jedu.exe
Token: SeDebugPrivilege	872	Jedu.exe
Token: SeDebugPrivilege	640	Jedu.exe
Token: SeDebugPrivilege	1968	Jedu.exe
Token: SeDebugPrivilege	2144	Jedu.exe
Token: SeDebugPrivilege	1704	Jedu.exe
Token: SeDebugPrivilege	2508	Jedu.exe
Token: SeDebugPrivilege	2368	Jedu.exe
Token: SeDebugPrivilege	2584	Jedu.exe
Token: SeDebugPrivilege	2792	Jedu.exe
Token: SeDebugPrivilege	568	Jedu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2808	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	31
PID 2788 wrote to memory of 2592	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	32
PID 2788 wrote to memory of 2592	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	32
PID 2788 wrote to memory of 2592	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	32
PID 2788 wrote to memory of 2592	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	32
PID 2788 wrote to memory of 2736	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	34
PID 2788 wrote to memory of 2736	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	34
PID 2788 wrote to memory of 2736	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	34
PID 2788 wrote to memory of 2736	2788	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe	34
PID 2592 wrote to memory of 2588	2592	cmd.exe	36
PID 2592 wrote to memory of 2588	2592	cmd.exe	36
PID 2592 wrote to memory of 2588	2592	cmd.exe	36
PID 2592 wrote to memory of 2588	2592	cmd.exe	36
PID 1712 wrote to memory of 2256	1712	taskeng.exe	39
PID 1712 wrote to memory of 2256	1712	taskeng.exe	39
PID 1712 wrote to memory of 2256	1712	taskeng.exe	39
PID 1712 wrote to memory of 2256	1712	taskeng.exe	39
PID 1712 wrote to memory of 2256	1712	taskeng.exe	39
PID 1712 wrote to memory of 2256	1712	taskeng.exe	39
PID 1712 wrote to memory of 2256	1712	taskeng.exe	39
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2816	2256	Jedu.exe	40
PID 2256 wrote to memory of 2920	2256	Jedu.exe	41
PID 2256 wrote to memory of 2920	2256	Jedu.exe	41
PID 2256 wrote to memory of 2920	2256	Jedu.exe	41
PID 2256 wrote to memory of 2920	2256	Jedu.exe	41
PID 2256 wrote to memory of 2892	2256	Jedu.exe	42
PID 2256 wrote to memory of 2892	2256	Jedu.exe	42
PID 2256 wrote to memory of 2892	2256	Jedu.exe	42
PID 2256 wrote to memory of 2892	2256	Jedu.exe	42
PID 2920 wrote to memory of 1092	2920	cmd.exe	45
PID 2920 wrote to memory of 1092	2920	cmd.exe	45
PID 2920 wrote to memory of 1092	2920	cmd.exe	45
PID 2920 wrote to memory of 1092	2920	cmd.exe	45
PID 1712 wrote to memory of 2672	1712	taskeng.exe	46
PID 1712 wrote to memory of 2672	1712	taskeng.exe	46
PID 1712 wrote to memory of 2672	1712	taskeng.exe	46
PID 1712 wrote to memory of 2672	1712	taskeng.exe	46
PID 1712 wrote to memory of 2672	1712	taskeng.exe	46
PID 1712 wrote to memory of 2672	1712	taskeng.exe	46
PID 1712 wrote to memory of 2672	1712	taskeng.exe	46
PID 2672 wrote to memory of 2108	2672	Jedu.exe	48
PID 2672 wrote to memory of 2108	2672	Jedu.exe	48

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe

C:\Users\Admin\AppData\Local\Temp\51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
"C:\Users\Admin\AppData\Local\Temp\51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe
  "C:\Users\Admin\AppData\Local\Temp\51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2736

C:\Windows\system32\taskeng.exe
taskeng.exe {1E90A570-020A-4BD4-86A1-BF5E6072D0A3} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:780
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1036
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1576
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1384
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe" "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2104
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- - C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe
    "C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Jedu\Jedu.exe

Filesize
482KB

MD5
d5c6afc24d4fff226ae1190fde23e514

SHA1
e342136d49082c798e5da37f27a0bad894e3e4ce

SHA256
51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209

SHA512
4cfa0f5bacd1521792bc3278bd0b25871da1b86afc7e7a243b89cd2a7ccd7119ab013422c1cccad06790e2d5b3885180047684d5a3504d6a1f86ad42aba0a575

Download Submit
memory/1060-82-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/1060-86-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/1060-89-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/2108-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-23-0x0000000000DD0000-0x0000000000E4E000-memory.dmp

Filesize
504KB

Download
memory/2788-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/2788-1-0x00000000011E0000-0x000000000125E000-memory.dmp

Filesize
504KB

Download
memory/2788-2-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-9-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/2788-10-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-18-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-16-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-17-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-24-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-25-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download