Malware Analysis Report

2025-04-14 08:31

Sample ID 220208-dw6r6acefr
Target 5520385b93a3e92671bacf50d26259802d7af1a75968c56c2b973ca92193f9a4
SHA256 5520385b93a3e92671bacf50d26259802d7af1a75968c56c2b973ca92193f9a4
Tags
agenttesla wshrat collection keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5520385b93a3e92671bacf50d26259802d7af1a75968c56c2b973ca92193f9a4

Threat Level: Known bad

The file 5520385b93a3e92671bacf50d26259802d7af1a75968c56c2b973ca92193f9a4 was found to be: Known bad.

Malicious Activity Summary

agenttesla wshrat collection keylogger persistence spyware stealer trojan

Wshrat family

WSHRAT

WSHRAT Payload

AgentTesla

AgentTesla Payload

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Reads data files stored by FTP clients

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-08 03:22

Signatures

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Wshrat family

wshrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-08 03:22

Reported

2022-02-08 04:55

Platform

win7-en-20211208

Max time kernel

156s

Max time network

178s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\817086-QUOTE APPROVAL.js"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\817086-QUOTE APPROVAL.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\817086-QUOTE APPROVAL.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\817086-QUOTE APPROVAL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\817086-QUOTE APPROVAL.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\817086-QUOTE APPROVAL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\817086-QUOTE APPROVAL.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\File Transfer Protocol = "C:\\Users\\Admin\\AppData\\Roaming\\File Transfer Protocol\\File Transfer Protocol.exe" C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\817086-QUOTE APPROVAL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\817086-QUOTE APPROVAL.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\817086-QUOTE APPROVAL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\817086-QUOTE APPROVAL.js\"" C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\817086-QUOTE APPROVAL.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\817086-QUOTE APPROVAL.js"

C:\Users\Admin\AppData\Roaming\Internet Explorer.exe

"C:\Users\Admin\AppData\Roaming\Internet Explorer.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 2021wsh.ddns.net udp

Files

memory/1340-54-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp

C:\Users\Admin\AppData\Roaming\817086-QUOTE APPROVAL.js

MD5 840dc62a11fb14751fe953d7dfcd5574
SHA1 64e0dab4021a7329e032641c9a2d996702e35828
SHA256 f15399a055d4eb34ad03dde34727b9728b55da64abfc14b3f25e7ae5527216b9
SHA512 7a0c68ecbc5692664479ee184251bc25c47fca75dbe2f5f664cd2ed3be1f4a8bea58534bb2fa0c267d55e6082277c66c325f5cbe13fc6f893a5c87a46fe95db5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\817086-QUOTE APPROVAL.js

MD5 840dc62a11fb14751fe953d7dfcd5574
SHA1 64e0dab4021a7329e032641c9a2d996702e35828
SHA256 f15399a055d4eb34ad03dde34727b9728b55da64abfc14b3f25e7ae5527216b9
SHA512 7a0c68ecbc5692664479ee184251bc25c47fca75dbe2f5f664cd2ed3be1f4a8bea58534bb2fa0c267d55e6082277c66c325f5cbe13fc6f893a5c87a46fe95db5

C:\Users\Admin\AppData\Roaming\Internet Explorer.exe

MD5 69968540ca3bc109959e30c6c5c4b746
SHA1 5629ab083b93eb0b929d5918911c4573d3e8cf73
SHA256 4b18321dbf058432c0ae26683c816406771e44cff9fbfcf26e87e6ff1029a35d
SHA512 66d8f565561dc3a8d7c282fe0ff2f2a250d084a64caee5f6f8f8d13b8cf3514a541deb71d88fdcd71d70e66ffe4c851df0f962b4703d8ced9053db0942ac3ed6

C:\Users\Admin\AppData\Roaming\Internet Explorer.exe

MD5 69968540ca3bc109959e30c6c5c4b746
SHA1 5629ab083b93eb0b929d5918911c4573d3e8cf73
SHA256 4b18321dbf058432c0ae26683c816406771e44cff9fbfcf26e87e6ff1029a35d
SHA512 66d8f565561dc3a8d7c282fe0ff2f2a250d084a64caee5f6f8f8d13b8cf3514a541deb71d88fdcd71d70e66ffe4c851df0f962b4703d8ced9053db0942ac3ed6

memory/748-71-0x0000000074600000-0x0000000074CEE000-memory.dmp

memory/748-72-0x0000000000340000-0x000000000037C000-memory.dmp

memory/748-73-0x0000000004A50000-0x0000000004A51000-memory.dmp

memory/748-74-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

memory/748-75-0x0000000004A51000-0x0000000004A52000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-08 03:22

Reported

2022-02-08 04:55

Platform

win10v2004-en-20220113

Max time kernel

167s

Max time network

201s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\817086-QUOTE APPROVAL.js"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\817086-QUOTE APPROVAL.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\817086-QUOTE APPROVAL.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\817086-QUOTE APPROVAL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\817086-QUOTE APPROVAL.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\817086-QUOTE APPROVAL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\817086-QUOTE APPROVAL.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\File Transfer Protocol = "C:\\Users\\Admin\\AppData\\Roaming\\File Transfer Protocol\\File Transfer Protocol.exe" C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\817086-QUOTE APPROVAL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\817086-QUOTE APPROVAL.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\817086-QUOTE APPROVAL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\817086-QUOTE APPROVAL.js\"" C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Internet Explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\817086-QUOTE APPROVAL.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\817086-QUOTE APPROVAL.js"

C:\Users\Admin\AppData\Roaming\Internet Explorer.exe

"C:\Users\Admin\AppData\Roaming\Internet Explorer.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 20.42.65.84:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 crl3.digicert.com udp
US 72.21.91.29:80 crl3.digicert.com tcp
US 52.184.206.73:443 tcp
US 72.21.91.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 2021wsh.ddns.net udp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp

Files

C:\Users\Admin\AppData\Roaming\817086-QUOTE APPROVAL.js

MD5 840dc62a11fb14751fe953d7dfcd5574
SHA1 64e0dab4021a7329e032641c9a2d996702e35828
SHA256 f15399a055d4eb34ad03dde34727b9728b55da64abfc14b3f25e7ae5527216b9
SHA512 7a0c68ecbc5692664479ee184251bc25c47fca75dbe2f5f664cd2ed3be1f4a8bea58534bb2fa0c267d55e6082277c66c325f5cbe13fc6f893a5c87a46fe95db5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\817086-QUOTE APPROVAL.js

MD5 840dc62a11fb14751fe953d7dfcd5574
SHA1 64e0dab4021a7329e032641c9a2d996702e35828
SHA256 f15399a055d4eb34ad03dde34727b9728b55da64abfc14b3f25e7ae5527216b9
SHA512 7a0c68ecbc5692664479ee184251bc25c47fca75dbe2f5f664cd2ed3be1f4a8bea58534bb2fa0c267d55e6082277c66c325f5cbe13fc6f893a5c87a46fe95db5

C:\Users\Admin\AppData\Roaming\Internet Explorer.exe

MD5 69968540ca3bc109959e30c6c5c4b746
SHA1 5629ab083b93eb0b929d5918911c4573d3e8cf73
SHA256 4b18321dbf058432c0ae26683c816406771e44cff9fbfcf26e87e6ff1029a35d
SHA512 66d8f565561dc3a8d7c282fe0ff2f2a250d084a64caee5f6f8f8d13b8cf3514a541deb71d88fdcd71d70e66ffe4c851df0f962b4703d8ced9053db0942ac3ed6

C:\Users\Admin\AppData\Roaming\Internet Explorer.exe

MD5 69968540ca3bc109959e30c6c5c4b746
SHA1 5629ab083b93eb0b929d5918911c4573d3e8cf73
SHA256 4b18321dbf058432c0ae26683c816406771e44cff9fbfcf26e87e6ff1029a35d
SHA512 66d8f565561dc3a8d7c282fe0ff2f2a250d084a64caee5f6f8f8d13b8cf3514a541deb71d88fdcd71d70e66ffe4c851df0f962b4703d8ced9053db0942ac3ed6

memory/4204-134-0x0000000000890000-0x00000000008CC000-memory.dmp

memory/4204-135-0x00000000056C0000-0x0000000005C64000-memory.dmp

memory/4204-136-0x00000000051B0000-0x0000000005242000-memory.dmp

memory/4204-137-0x0000000074DB0000-0x0000000075560000-memory.dmp

memory/4204-138-0x0000000005110000-0x00000000056B4000-memory.dmp

memory/4204-139-0x0000000005250000-0x00000000052EC000-memory.dmp

memory/4204-140-0x0000000006020000-0x0000000006086000-memory.dmp

memory/4164-153-0x000001C7C5B40000-0x000001C7C5B44000-memory.dmp