Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:setup.msi
Analysis ID:1455422
MD5:d06b110d3ce70b99849be9b67e0628e5
SHA1:5d4d89cd45ef98d53960a02187785827c6d80e7a
SHA256:1b1ab24f18299a51ac735702d501f92e627065666293ec5f31431e9b0997870b
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Bypasses PowerShell execution policy
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious MsiExec Embedding Parent
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • msiexec.exe (PID: 6668 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6768 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6948 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 76F054D823F7B346F706921024C133C7 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 7060 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 76F054D823F7B346F706921024C133C7, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6948, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7060, ProcessName: powershell.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 76F054D823F7B346F706921024C133C7, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6948, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7060, ProcessName: powershell.exe
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 76F054D823F7B346F706921024C133C7, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6948, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7060, ProcessName: powershell.exe
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 76F054D823F7B346F706921024C133C7, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6948, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7060, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 76F054D823F7B346F706921024C133C7, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6948, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC17B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC168.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC169.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16A.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7060, ProcessName: powershell.exe
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 172.67.154.227:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: Binary string: CorSymReader.pdb source: Microsoft.DiaSymReader.Native.amd64.dll.1.dr
Source: Binary string: Microsoft.CSharp.ni.pdb source: Microsoft.CSharp.dll.1.dr
Source: Binary string: D:\a\audacity\audacity\.build.x64\RelWithDebInfo\lib-command-parameters.pdb source: lib-command-parameters.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: `OTHER`TEMP`PACKED<%s return value>internal error: failed to write debug data to pdb streaminternal error: failed to add section contributioninternal warning: PDB Error string is "%S"internal error: failed to close debug infointernal error: failed to close PDBinternal error: failed to open PDB for writing in streaminternal error: failed to create debug info in PDBinternal error: failed to add code section to debug infointernal error: failed to add module to debug infointernal error: failed to create type info in PDBinternal error: failed to create inline type info in PDBinternal error: failed to create source file store in PDBinternal error: failed to close source file store in PDBinternal error: failed to close module in debug infointernal error: failed to commit type info in PDBinternal error: failed to commit inline type info in PDBinternal error: failed to add section header to debug infointernal error: failed to append section header to pdbinternal error: failed to close section header in debug infointernal error: failed to close debug info in PDBinternal error: failed to commit PDBinternal error: PDB data too largeinternal error: PDB stream truncatedinternal error: failed to close source file storeinternal error: failed to close type infointernal error: pdb append failedfxl_4_0too many arguments to target TXtoo many outputs to target TXclip not supported in texture shadersinvalid reference to input semantic '%s%d'invalid reference to output semantic '%s%d'0123456789abcdef.pdbVPosSV_ViewportArrayIndexColorFailed to log error, redirecting to debug output: source: D3DCompiler_47_cor3.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\jit\clrjit.pdb source: clrjit.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: SymBinderBothSymReader.diaDia based SymReaderPdb based SymWriterCorSymWriter.pdbPdb based CorSymWriterCorSymReader.pdbPdb based CorSymReaderCorSymBinderNDP SymBinderCorSymWriterNDP SymWriterCorSymReaderNDP SymReader source: Microsoft.DiaSymReader.Native.amd64.dll.1.dr
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\Microsoft.DiaSymReader.Native.amd64.pdb source: Microsoft.DiaSymReader.Native.amd64.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi
Source: Binary string: D3DCompiler_47.pdb source: D3DCompiler_47_cor3.dll.1.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\net6.0-windows-Release\Microsoft.CSharp.pdb source: Microsoft.CSharp.dll.1.dr
Source: Binary string: CorSymWriter.pdb source: Microsoft.DiaSymReader.Native.amd64.dll.1.dr
Source: Binary string: D3DCompiler_47.pdbGCTL source: D3DCompiler_47_cor3.dll.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSIC0B1.tmp.1.dr, MSIBF76.tmp.1.dr, MSIBD13.tmp.1.dr
Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\Microsoft.DiaSymReader.Native.amd64.pdbn source: Microsoft.DiaSymReader.Native.amd64.dll.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /userLicense.php?iugeh=9501&aigfj=sojgjf&sufv=67 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gay-domain.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /userLicense.php?iugeh=9501&aigfj=sojgjf&sufv=67 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gay-domain.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /userLicense.php?iugeh=9501&aigfj=sojgjf&sufv=67 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gay-domain.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /userLicense.php?iugeh=9501&aigfj=sojgjf&sufv=67 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gay-domain.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: gay-domain.com
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000003.00000002.1756900335.0000000005326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1756900335.0000000005877000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1756900335.000000000583F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1756900335.0000000005892000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gay-domain.com
Source: powershell.exe, 00000003.00000002.1756900335.00000000057FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1756900335.000000000583F000.00000004.00000800.00020000.00000000.sdmp, setup.msiString found in binary or memory: http://gay-domain.com/userLicense.php?iugeh=9501&aigfj=sojgjf&sufv=67
Source: powershell.exe, 00000003.00000002.1759677985.0000000006239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://ocsp.comodoca.com0
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: lib-command-parameters.dll.1.drString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000003.00000002.1756900335.0000000005326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1760744523.0000000007830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: powershell.exe, 00000003.00000002.1756900335.00000000051D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://subca.ocsp-certum.com01
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://subca.ocsp-certum.com02
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://subca.ocsp-certum.com05
Source: Qt5Gui.dll.1.drString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: powershell.exe, 00000003.00000002.1756900335.0000000005326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1760744523.0000000007830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Microsoft.CSharp.dll.1.dr, Microsoft.DiaSymReader.Native.amd64.dll.1.dr, clrjit.dll.1.dr, D3DCompiler_47_cor3.dll.1.drString found in binary or memory: http://www.certum.pl/CPS0
Source: Qt5Gui.dll.1.drString found in binary or memory: http://www.color.org)
Source: powershell.exe, 00000003.00000002.1756900335.00000000051D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1759677985.0000000006239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1759677985.0000000006239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1759677985.0000000006239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1756900335.0000000005881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1756900335.000000000545F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gay-domain.com
Source: powershell.exe, 00000003.00000002.1756900335.0000000005881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1756900335.0000000005877000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1756900335.000000000545F000.00000004.00000800.0002000