Windows Analysis Report
vRp56pf5a9.exe

Overview

General Information

Sample name:	vRp56pf5a9.exe renamed because original name is a hash value
Original sample name:	5790d1417f8f00bd7ec6fb7011c79d9c.exe
Analysis ID:	1426786
MD5:	5790d1417f8f00bd7ec6fb7011c79d9c
SHA1:	36076ed9457c45d94e664ea291eb01e5c70d084b
SHA256:	ad07503bc046f5b3d65eb61646fa826bc39560916c6e1ef2c3437b6465b30a82
Tags:	64exetrojan
Infos:

Detection

CredGrabber, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected CredGrabber

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Creates multiple autostart registry keys

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Terminates after testing mutex exists (may check infected machine status)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vRp56pf5a9.exe	Avira: detected
Source: vRp56pf5a9.exe	Avira: detected
Source: vRp56pf5a9.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Avira: detection malicious, Label: TR/AVI.Agent.besyk
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Avira: detection malicious, Label: TR/AVI.Agent.uxixk
Source: C:\Users\user\AppData\Local\cvchost.exe	Avira: detection malicious, Label: TR/AVI.Agent.besyk

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\Users\user\AppData\Local\cvchost.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\cvchost.exe	Virustotal: Detection: 67%	Perma Link

Multi AV Scanner detection for submitted file

Source: vRp56pf5a9.exe	ReversingLabs: Detection: 75%
Source: vRp56pf5a9.exe	Virustotal: Detection: 71%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cvchost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: vRp56pf5a9.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F1530EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,		0_2_00007FF70F1530EC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140047610 CryptUnprotectData,LocalFree,		6_2_0000000140047610

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49709 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49714 version: TLS 1.2

Source: vRp56pf5a9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: vRp56pf5a9.exe
Source:	Binary string: wextract.pdbGCTL source: vRp56pf5a9.exe
Source:	Binary string: Ghcbjyte.pdbx source: MSBuild.exe, 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8967FE000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2493330825.000002D89F610000.00000004.08000000.00040000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Ghcbjyte.pdb source: MSBuild.exe, 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8967FE000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2493330825.000002D89F610000.00000004.08000000.00040000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F15204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00007FF70F15204C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400329C0 FindFirstFileW,FindNextFileW,	6_2_00000001400329C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140094A90 FindClose,FindFirstFileExW,GetLastError,	6_2_0000000140094A90
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140094B40 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	6_2_0000000140094B40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400A94B8 FindFirstFileExW,	6_2_00000001400A94B8

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Code function: 4x nop then jmp 00007FF848F62DF6h	1_2_00007FF848F31D02
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	9_2_060C07B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 060C7242h	9_2_060C7281
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	9_2_060C07B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 060C7242h	9_2_060C730C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 0611AFAAh	9_2_0611AD90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 0611A76Dh	9_2_0611A668
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 0611A76Dh	9_2_0611A6D8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 0611A76Dh	9_2_0611A6E8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 0611AFAAh	9_2_0611AD80
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	11_2_059D07B8
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 059D7242h	11_2_059D7281
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	11_2_059D07B0
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 059D7242h	11_2_059D730C
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 05A2AFAAh	11_2_05A2AD90
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 05A2AFAAh	11_2_05A2AD80
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 05A2A76Dh	11_2_05A2A6E8
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 05A2A76Dh	11_2_05A2A6D8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49713 -> 109.107.181.83:15666
Source: global traffic	TCP traffic: 192.168.2.5:49719 -> 212.224.86.54:58003

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; /Host: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /beer/Zdthsqoc.wav HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 212.224.86.54 212.224.86.54
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49709 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_0000000140050500 recv,recv,closesocket,WSACleanup,

6_2_0000000140050500

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; /Host: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /beer/Zdthsqoc.wav HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D8867F1000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.0000000003281000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.000000000293C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.253.120.145
Source: responsiibilitylead.exe, 00000009.00000002.3231128972.0000000003281000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.253.120.145/beer/Vxttheubu.mp4
Source: vRp56pf5a9.exe, 00000000.00000003.1963487398.00000194131B7000.00000004.00000020.00020000.00000000.sdmp, vRp56pf5a9.exe, 00000000.00000003.1963397618.0000019414E94000.00000004.00000020.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000000.2501981324.0000000000E82000.00000002.00000001.01000000.0000000A.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe.0.dr, cvchost.exe.9.dr	String found in binary or memory: http://159.253.120.145/beer/Vxttheubu.mp41EGP4CCIIOMuIUm3
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D8867F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.253.120.145/beer/Zdthsqoc.wav
Source: vRp56pf5a9.exe, 00000000.00000003.1963487398.00000194131B7000.00000004.00000020.00020000.00000000.sdmp, vRp56pf5a9.exe, 00000000.00000003.1963397618.0000019414E94000.00000004.00000020.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000000.1964179398.000002D884C32000.00000002.00000001.01000000.00000004.sdmp, responsibilitylead.exe.0.dr	String found in binary or memory: http://159.253.120.145/beer/Zdthsqoc.wav1ac8RgXhHQGMLHirw3jKOBg==
Source: powershell.exe, 00000007.00000002.2625483953.000001D42857B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2589899727.000001D419ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2625483953.000001D4286B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2589899727.000001D418731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D8867F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2589899727.000001D418501000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.4454869281.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.4454869281.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.000000000293C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4359962060.00000000029EB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4359962060.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.4426106035.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.4426106035.0000000002F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2589899727.000001D418731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.2589899727.000001D418501000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: InstallUtil.exe, 00000006.00000002.2605907683.000001D4E3F03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: InstallUtil.exe, 00000006.00000002.2606912771.000001D4E5C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org2
Source: InstallUtil.exe, 00000006.00000002.2605907683.000001D4E3F03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgJ
Source: powershell.exe, 00000007.00000002.2625483953.000001D4286B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2625483953.000001D4286B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2625483953.000001D4286B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.2589899727.000001D418731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000007.00000002.2589899727.000001D419131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2625483953.000001D42857B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2589899727.000001D419ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2625483953.000001D4286B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.0000000003448000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.4454869281.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002D96000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4359962060.00000000029EB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.4426106035.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49714 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_0000000140051540 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateStreamOnHGlobal,EnterCriticalSection,LeaveCriticalSection,GetObjectW,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,DeleteObject,EnterCriticalSection,EnterCriticalSection,GdiplusShutdown,LeaveCriticalSection,LeaveCriticalSection,

6_2_0000000140051540

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE

Matched rule: Detects zgRAT Author: ditekSHen

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400A9668 NtQuerySystemInformation,		6_2_00000001400A9668
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140058BC0 _Init_thread_header,GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,		6_2_0000000140058BC0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F152C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		0_2_00007FF70F152C54
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F151C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		0_2_00007FF70F151C0C

Detected potential crypto function

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F151D28	0_2_00007FF70F151D28
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F155D90	0_2_00007FF70F155D90
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F1566C4	0_2_00007FF70F1566C4
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F1540C4	0_2_00007FF70F1540C4
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F156CA4	0_2_00007FF70F156CA4
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F152DB4	0_2_00007FF70F152DB4
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F153530	0_2_00007FF70F153530
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F151C0C	0_2_00007FF70F151C0C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140052000	6_2_0000000140052000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006A19F	6_2_000000014006A19F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140037240	6_2_0000000140037240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014005E260	6_2_000000014005E260
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400422B0	6_2_00000001400422B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014004B3F0	6_2_000000014004B3F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014005C4D8	6_2_000000014005C4D8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140051540	6_2_0000000140051540
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014007155C	6_2_000000014007155C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014003D570	6_2_000000014003D570
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014002D710	6_2_000000014002D710
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400388F0	6_2_00000001400388F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140056938	6_2_0000000140056938
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140083934	6_2_0000000140083934
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014007DAFC	6_2_000000014007DAFC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140094B40	6_2_0000000140094B40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140050C80	6_2_0000000140050C80
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140048E40	6_2_0000000140048E40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140055EA0	6_2_0000000140055EA0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140032FB0	6_2_0000000140032FB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014002FFE0	6_2_000000014002FFE0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400060C0	6_2_00000001400060C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006E0D0	6_2_000000014006E0D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140076128	6_2_0000000140076128
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140068140	6_2_0000000140068140
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014002E1BE	6_2_000000014002E1BE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140081254	6_2_0000000140081254
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140076310	6_2_0000000140076310
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014008B330	6_2_000000014008B330
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014007A33C	6_2_000000014007A33C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006E3F0	6_2_000000014006E3F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140077420	6_2_0000000140077420
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140060420	6_2_0000000140060420
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140087498	6_2_0000000140087498
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400764F8	6_2_00000001400764F8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014005B610	6_2_000000014005B610
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014004A640	6_2_000000014004A640
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014007F6C4	6_2_000000014007F6C4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400256D0	6_2_00000001400256D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006870F	6_2_000000014006870F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006D780	6_2_000000014006D780
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400067D0	6_2_00000001400067D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400247F0	6_2_00000001400247F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140085854	6_2_0000000140085854
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140072898	6_2_0000000140072898
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140089904	6_2_0000000140089904
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140081962	6_2_0000000140081962
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140096A10	6_2_0000000140096A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140028A70	6_2_0000000140028A70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006DAB0	6_2_000000014006DAB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140076B40	6_2_0000000140076B40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014004CB60	6_2_000000014004CB60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014009AC28	6_2_000000014009AC28
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140074CB0	6_2_0000000140074CB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140082CBC	6_2_0000000140082CBC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014002DD40	6_2_000000014002DD40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140025D70	6_2_0000000140025D70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014007DD78	6_2_000000014007DD78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140072D90	6_2_0000000140072D90
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140055D93	6_2_0000000140055D93
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006DDC0	6_2_000000014006DDC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014008ADD4	6_2_000000014008ADD4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140054F10	6_2_0000000140054F10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140085FC4	6_2_0000000140085FC4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_00FB648D	9_2_00FB648D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_00FB09F0	9_2_00FB09F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_00FB09E0	9_2_00FB09E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_00FB1788	9_2_00FB1788
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C4F38	9_2_060C4F38
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C7281	9_2_060C7281
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060CF830	9_2_060CF830
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C4108	9_2_060C4108
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060CCCC8	9_2_060CCCC8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C8D11	9_2_060C8D11
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C8D50	9_2_060C8D50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C8D60	9_2_060C8D60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C730C	9_2_060C730C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C3BB8	9_2_060C3BB8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060CF821	9_2_060CF821
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BF0D	9_2_0611BF0D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611B59B	9_2_0611B59B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611C58B	9_2_0611C58B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BA9A	9_2_0611BA9A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_06117870	9_2_06117870
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611C0BD	9_2_0611C0BD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BE0D	9_2_0611BE0D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BE23	9_2_0611BE23
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BE7A	9_2_0611BE7A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BC29	9_2_0611BC29
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BC6E	9_2_0611BC6E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BD7A	9_2_0611BD7A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BDB4	9_2_0611BDB4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BDB9	9_2_0611BDB9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BAC7	9_2_0611BAC7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BAEB	9_2_0611BAEB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BB29	9_2_0611BB29
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BBBA	9_2_0611BBBA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_082FD998	9_2_082FD998
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_082E001C	9_2_082E001C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_082E0040	9_2_082E0040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_082FCDB0	9_2_082FCDB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D1948	10_2_023D1948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D26F8	10_2_023D26F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D26F8	10_2_023D26F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2AAC	10_2_023D2AAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2A8A	10_2_023D2A8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2AF3	10_2_023D2AF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2ADC	10_2_023D2ADC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2AC6	10_2_023D2AC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2B2C	10_2_023D2B2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2B45	10_2_023D2B45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D192C	10_2_023D192C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D1948	10_2_023D1948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D4F70	10_2_023D4F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D3761	10_2_023D3761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D4F60	10_2_023D4F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2470	10_2_023D2470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2460	10_2_023D2460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D5518	10_2_023D5518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D5510	10_2_023D5510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04C20040	10_2_04C20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04C22BBF	10_2_04C22BBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04C20007	10_2_04C20007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DCF318	10_2_04DCF318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DC0040	10_2_04DC0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD4CF8	10_2_04DD4CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD1528	10_2_04DD1528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD6FA0	10_2_04DD6FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DDA8E7	10_2_04DDA8E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD40E0	10_2_04DD40E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD4428	10_2_04DD4428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD151B	10_2_04DD151B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD6F91	10_2_04DD6F91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DDD0B7	10_2_04DDD0B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_050FC698	10_2_050FC698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_050FEEB0	10_2_050FEEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_050FACC0	10_2_050FACC0
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_00C00751	11_2_00C00751
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D4108	11_2_059D4108
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D7281	11_2_059D7281
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D4F38	11_2_059D4F38
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D730C	11_2_059D730C
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D8D50	11_2_059D8D50
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D8D60	11_2_059D8D60
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059DCCC8	11_2_059DCCC8
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059DCC48	11_2_059DCC48
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059DF858	11_2_059DF858
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059DF848	11_2_059DF848
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D3BB8	11_2_059D3BB8
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2C58B	11_2_05A2C58B
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2B59B	11_2_05A2B59B
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BF0D	11_2_05A2BF0D
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2C0BD	11_2_05A2C0BD
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A27870	11_2_05A27870
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BA9A	11_2_05A2BA9A
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BDB4	11_2_05A2BDB4
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BDB9	11_2_05A2BDB9
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BD7A	11_2_05A2BD7A
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BC29	11_2_05A2BC29
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BC6E	11_2_05A2BC6E
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BE23	11_2_05A2BE23
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BE0D	11_2_05A2BE0D
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BE7A	11_2_05A2BE7A
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BBBA	11_2_05A2BBBA
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BB29	11_2_05A2BB29
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BAEB	11_2_05A2BAEB
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BAC7	11_2_05A2BAC7
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_0795AD80	11_2_0795AD80
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_0795BF88	11_2_0795BF88
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_079579B0	11_2_079579B0
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_079579E8	11_2_079579E8
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_0795B0A7	11_2_0795B0A7
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_07950006	11_2_07950006
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_07C5D998	11_2_07C5D998
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_07C5CDB0	11_2_07C5CDB0
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_07C40040	11_2_07C40040
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_07C40006	11_2_07C40006

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: String function: 000000014002E190 appears 44 times

PE file contains executable resources (Code or Archives)

Source: vRp56pf5a9.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 3857 bytes, 2 files, at 0x2c +A "responsibilitylead.exe" +A "responsiibilitylead.exe", ID 4725, number 1, 1 datablock, 0x1503 compression

PE file does not import any functions

Source: responsibilitylead.exe.0.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: vRp56pf5a9.exe	Binary or memory string: OriginalFilename vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe, 00000000.00000002.3288434013.00007FF70F15E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe, 00000000.00000003.1963487398.00000194131B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameresponsibilitylead.exeF vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe, 00000000.00000003.1963487398.00000194131B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameresponsiibilitylead.exeH vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe, 00000000.00000003.1963397618.0000019414E94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameresponsibilitylead.exeF vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe, 00000000.00000003.1963397618.0000019414E94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameresponsiibilitylead.exeH vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs vRp56pf5a9.exe

Yara signature match

Source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/10@1/4

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F15473C CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

0_2_00007FF70F15473C

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F151C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

0_2_00007FF70F151C0C

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F1566C4 LocalAlloc,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,

0_2_00007FF70F1566C4

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_0000000140037240 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

6_2_0000000140037240

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F155D90 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,

0_2_00007FF70F155D90

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\responsibilitylead.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\090115
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963C270DF6A

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: vRp56pf5a9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: vRp56pf5a9.exe	ReversingLabs: Detection: 75%
Source: vRp56pf5a9.exe	Virustotal: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\vRp56pf5a9.exe "C:\Users\user\Desktop\vRp56pf5a9.exe"
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\cvchost.exe "C:\Users\user\AppData\Local\cvchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\cvchost.exe "C:\Users\user\AppData\Local\cvchost.exe"
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: vRp56pf5a9.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: vRp56pf5a9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: vRp56pf5a9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: vRp56pf5a9.exe
Source:	Binary string: wextract.pdbGCTL source: vRp56pf5a9.exe
Source:	Binary string: Ghcbjyte.pdbx source: MSBuild.exe, 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8967FE000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2493330825.000002D89F610000.00000004.08000000.00040000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Ghcbjyte.pdb source: MSBuild.exe, 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8967FE000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2493330825.000002D89F610000.00000004.08000000.00040000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp

Source: vRp56pf5a9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vRp56pf5a9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vRp56pf5a9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vRp56pf5a9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vRp56pf5a9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: responsibilitylead.exe.0.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: responsiibilitylead.exe.0.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: 0.3.vRp56pf5a9.exe.194131b8eb0.1.raw.unpack, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: 0.3.vRp56pf5a9.exe.19414e95840.0.raw.unpack, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: 0.3.vRp56pf5a9.exe.194131b76b0.2.raw.unpack, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 1.2.responsibilitylead.exe.2d89f100000.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 1.2.responsibilitylead.exe.2d89f100000.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 1.2.responsibilitylead.exe.2d89f100000.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 1.2.responsibilitylead.exe.2d89f100000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 1.2.responsibilitylead.exe.2d89f100000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 13.2.MSBuild.exe.3ee60c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.5f80000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.MSBuild.exe.41460c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.5250000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d89f560000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4443385850.0000000004146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2492795749.000002D89F560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4426106035.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4359962060.00000000029EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4403054375.0000000005250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3231128972.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4052042219.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3274015453.0000000005F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4118162856.000000000295F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3231128972.0000000003448000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4454869281.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: responsibilitylead.exe PID: 6172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: responsiibilitylead.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvchost.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvchost.exe PID: 2504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4464, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: vRp56pf5a9.exe

Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F151D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

0_2_00007FF70F151D28

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Code function: 1_2_00007FF848F300BD pushad ; iretd	1_2_00007FF848F300C1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Code function: 1_2_00007FF8491E29D1 push es; retf 0005h	1_2_00007FF8491E29D7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Code function: 1_2_00007FF8491F6277 push eax; ret	1_2_00007FF8491F6278
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Code function: 1_2_00007FF8491F6270 push eax; ret	1_2_00007FF8491F6271
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140050186 push rcx; iretd	6_2_00000001400501A1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501A2 push rcx; iretd	6_2_00000001400501AD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501AE push rcx; iretd	6_2_00000001400501B1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501B6 push rcx; iretd	6_2_00000001400501B9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501B2 push rcx; iretd	6_2_00000001400501B5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501BE push rcx; iretd	6_2_00000001400501C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501BA push rcx; iretd	6_2_00000001400501BD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501C2 push rcx; iretd	6_2_00000001400501C5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_00FB2140 push es; ret	9_2_00FB2150
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_06112CDA pushad ; retf	9_2_06112D09
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_06115D60 push eax; iretd	9_2_06115D61
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611E367 push es; iretd	9_2_0611E394
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611E395 push es; iretd	9_2_0611E394
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D409A push FFFFFFB8h; ret	10_2_023D40A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DC0DC0 push esp; retn 04D4h	10_2_04DC0E61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DC1BE0 pushad ; retf	10_2_04DC1BE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DDB1A0 push eax; retf	10_2_04DDB1A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_050E27A1 push eax; retn 0000h	10_2_050E27A2
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059DCC17 push esp; retf	11_2_059DCC31
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A25D60 push eax; iretd	11_2_05A25D61
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A22CF5 pushad ; retf	11_2_05A22D09

Drops PE files

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	File created: C:\Users\user\AppData\Local\cvchost.exe	Jump to dropped file

Terminates after testing mutex exists (may check infected machine status)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_0000000140048290 OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

6_2_0000000140048290

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F151684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

0_2_00007FF70F151684

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cvchost			Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0			Jump to behavior

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cvchost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cvchost	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: responsiibilitylead.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvchost.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvchost.exe PID: 2504, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER9SBIEDLL.DLL:SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE;VERSION<SERIALNUMBER>VMWARE\|VIRTUAL\|A M I\|XEN?SELECT * FROM WIN32_COMPUTERSYSTEM@MANUFACTURERAMODELBMICROSOFT\|VMWARE\|VIRTUALCJOHNDANNAEXXXXXXXXNPOWERSHELLOSTART-SLEEP -SECONDS 5; REMOVE-ITEM -PATH 'P' -FORCE
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP
Source: responsiibilitylead.exe, 00000009.00000002.3231128972.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.000000000295F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER9SBIEDLL.DLL:SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE;VERSION<SERIALNUMBER>VMWARE\|VIRTUAL\|A M I\|XEN?SELECT * FROM WIN32_COMPUTERSYSTEM@MANUFACTURERAMODELBMICROSOFT\|VMWARE\|VIRTUALCJOHNDANNAEXXXXXXXX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory allocated: 2D884F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory allocated: 2D89E7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory allocated: 15F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory allocated: 5F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory allocated: 6F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 5890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 6890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 5630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 6630000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2860000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 29D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 49D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1280000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4C30000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 338000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 424000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 349000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 488000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 372000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 462000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 361000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 582000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 359000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 549000	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\cvchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4841	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4975	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Window / User API: threadDelayed 648	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 3402	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 6429	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Window / User API: threadDelayed 640
Source: C:\Users\user\AppData\Local\cvchost.exe	Window / User API: threadDelayed 645

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe TID: 572	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe TID: 572	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe TID: 5044	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe TID: 4956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3180	Thread sleep count: 4841 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5988	Thread sleep count: 4975 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6208	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 2676	Thread sleep count: 247 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 2676	Thread sleep time: -247000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 2676	Thread sleep count: 648 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 2676	Thread sleep time: -648000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 3040	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 2364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308	Thread sleep count: 3402 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -119750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308	Thread sleep count: 6429 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59757s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -338000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -119782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -119562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59662s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -424000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59758s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59529s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -349000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59771s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59545s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -488000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59885s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59779s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -119344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -372000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59886s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59560s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -462000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59653s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -361000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -582000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59538s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -359000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -549000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2748	Thread sleep count: 257 > 30
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2748	Thread sleep time: -257000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2748	Thread sleep count: 640 > 30
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2748	Thread sleep time: -640000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 5884	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 1536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2468	Thread sleep count: 252 > 30
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2468	Thread sleep time: -252000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2468	Thread sleep count: 645 > 30
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2468	Thread sleep time: -645000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 5836	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 6340	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3792	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\cvchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Local\cvchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\cvchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\cvchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F15204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00007FF70F15204C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400329C0 FindFirstFileW,FindNextFileW,	6_2_00000001400329C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140094A90 FindClose,FindFirstFileExW,GetLastError,	6_2_0000000140094A90
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140094B40 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	6_2_0000000140094B40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400A94B8 FindFirstFileExW,	6_2_00000001400A94B8

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F1564E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00007FF70F1564E4

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59757	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 338000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59662	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 424000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59758	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59529	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 349000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59771	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59545	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 488000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59885	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 372000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 462000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 361000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 582000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59538	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 359000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 549000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59547	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\cvchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: cvchost.exe, 0000000C.00000002.4118162856.000000000295F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer9SbieDll.dll:select * from Win32_BIOS8Unexpected WMI query failure;version<SerialNumber>VMware\|VIRTUAL\|A M I\|Xen?select * from Win32_ComputerSystem@manufacturerAmodelBMicrosoft\|VMWare\|VirtualCjohnDannaExxxxxxxx
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtualhs
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: crosoft\|VMWare\|Virtual
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUH
Source: cvchost.exe, 0000000B.00000002.4045702858.0000000000E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: MSBuild.exe, 0000000A.00000002.4475845275.00000000051A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: cvchost.exe, 0000000B.00000002.4052042219.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|VirtualH
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR]q8jY
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2606912771.000001D4E5C7B000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2606912771.000001D4E5CA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR]q
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: responsibilitylead.exe, 00000001.00000002.2479612187.000002D884D97000.00000004.00000020.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3225039212.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4109924506.0000000000977000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer9SbieDll.dll:select * from Win32_BIOS8Unexpected WMI query failure;version<SerialNumber>VMware\|VIRTUAL\|A M I\|Xen?select * from Win32_ComputerSystem@manufacturerAmodelBMicrosoft\|VMWare\|VirtualCjohnDannaExxxxxxxxNpowershellOStart-Sleep -Seconds 5; Remove-Item -Path 'P' -Force

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe

Code function: 9_2_060C07B8 CheckRemoteDebuggerPresent,

9_2_060C07B8

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\cvchost.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_00000001400961B8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_00000001400961B8

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_00000001400961B8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_00000001400961B8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

0_2_00007FF70F151D28

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_000000014008409C GetProcessHeap,

6_2_000000014008409C

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F158494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF70F158494
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F158790 SetUnhandledExceptionFilter,	0_2_00007FF70F158790
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014008E8D0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_000000014008E8D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006FC14 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_000000014006FC14

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_00000001400479D0 GetModuleFileNameW,CreateProcessW,GetThreadContext,TerminateProcess,VirtualAllocEx,TerminateProcess,WriteProcessMemory,TerminateProcess,WriteProcessMemory,WriteProcessMemory,TerminateProcess,TerminateProcess,SetThreadContext,TerminateProcess,ResumeThread,TerminateProcess,

6_2_00000001400479D0

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A840575A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetInformationThread: Direct from: 0x7FF8A85DCC90	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtOpenKey: Direct from: 0x7FF8A8AEC540	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetContextThread: Direct from: 0x7FF849247266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAdjustPrivilegesToken: Direct from: 0x7FF8A63B1BEC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtQueryValueKey: Direct from: 0x7FF8A7444413	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtCreateFile: Direct from: 0x7FF8A8AEC8FD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetInformationThread: Direct from: 0x7FF8A8AEC9BA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtDeviceIoControlFile: Direct from: 0x7FF8A63B80D9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtClose: Direct from: 0x7FF8A744713F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtUnmapViewOfSection: Direct from: 0x7FF8492477C6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetInformationProcess: Direct from: 0x7FF8A845FF6B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtDelayExecution: Direct from: 0x7FF8C88A26A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtDeviceIoControlFile: Direct from: 0x7FF8A63B831F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtWriteVirtualMemory: Direct from: 0x7FF849248040	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtCreateThreadEx: Direct from: 0x7FF8A8498EE0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A63B3FE6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtClose: Direct from: 0x7FF8A841FAC5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtClose: Direct from: 0x7FF8A84979FF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtQueryAttributesFile: Direct from: 0x7FF8A8AEC64D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAllocateVirtualMemory: Direct from: 0x7FF849246DD9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtOpenKeyEx: Direct from: 0x7FF8A84D87B7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtDelayExecution: Direct from: 0x7FF8A8405073	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetInformationProcess: Direct from: 0x7FF8A845FF46	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtQuerySystemInformation: Direct from: 0x7FF8A84253EE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtCreateFile: Direct from: 0x7FF8A8AEC113	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A8AEC510	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetInformationThread: Direct from: 0x7FF8A8AEC5CC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtClose: Direct from: 0x7FF8A8AEC997
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtResumeThread: Direct from: 0x7FF849248291	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtMapViewOfSection: Direct from: 0x7FF8A84FA7F5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtWriteFile: Direct from: 0x7FF8A8AEC978	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A846E5EF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtQueryAttributesFile: Direct from: 0x7FF8A84DBC4A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtClose: Direct from: 0x7FF8492464E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtQuerySystemInformation: Direct from: 0x7FF8A8498FF3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtResumeThread: Direct from: 0x7FF8A8498CF6	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140000000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 500000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

Thread register set: target process: 2072

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400A9000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400CC000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400D1000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400D7000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400D8000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400D9000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 761E03F010	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 500000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 502000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 5A8000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 5AA000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 286008	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4A8000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4AA000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9C2008
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4A8000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4AA000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A29008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F1511CC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_00007FF70F1511CC

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_000000014008D830 cpuid

6_2_000000014008D830

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_000000014008813C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0000000140088294
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_00000001400A9330
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_0000000140088344
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_0000000140088470
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	6_2_000000014007B594
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoEx,FormatMessageA,	6_2_0000000140094754
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_0000000140087A3C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_000000014007BAD8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	6_2_0000000140087D88
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	6_2_0000000140087E58
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0000000140087EF0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Users\user\AppData\Local\cvchost.exe VolumeInformation
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Users\user\AppData\Local\cvchost.exe VolumeInformation
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation

Queries time zone information

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F158964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF70F158964

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_0000000140051C00 GetUserNameW,

6_2_0000000140051C00

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_000000014007DAFC _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

6_2_000000014007DAFC

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F152C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

0_2_00007FF70F152C54

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: MSBuild.exe, 0000000A.00000002.4449029855.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4354996251.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.4447079076.0000000005868000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.4419984111.0000000001125000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.4419984111.0000000001076000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: InstallUtil.exe PID: 2072, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.responsiibilitylead.exe.47ab768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.cvchost.exe.3e7b788.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e51dd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896ec9e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4919818.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.5080000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d897329ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4941838.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.cvchost.exe.3e7b788.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3c86a68.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e79e08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d89f270000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3d06a88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3c86a68.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3d06a88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.5080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e51dd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.71f0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e79e08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d897329ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.71f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d89f270000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896ec9e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4919818.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4941838.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4352491504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4129887530.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2490796351.000002D89F270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2480957008.000002D897329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3277597286.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2480957008.000002D896BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3239995479.00000000047AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum\wallets
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: responsibilitylead.exe, 00000001.00000002.2490796351.000002D89F270000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: InstallUtil.exe PID: 2072, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.responsiibilitylead.exe.47ab768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.cvchost.exe.3e7b788.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e51dd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896ec9e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4919818.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.5080000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d897329ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4941838.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.cvchost.exe.3e7b788.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3c86a68.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e79e08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d89f270000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3d06a88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3c86a68.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3d06a88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.5080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e51dd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.71f0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e79e08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d897329ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.71f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d89f270000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896ec9e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4919818.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4941838.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4352491504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4129887530.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2490796351.000002D89F270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2480957008.000002D897329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3277597286.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2480957008.000002D896BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3239995479.00000000047AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
212.224.86.54	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	false
159.253.120.145	unknown	Russian Federation	42955	TKDIALOG-ASRU	false
109.107.181.83	unknown	Russian Federation	49973	TELEPORT-TV-ASRU	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
api.ipify.org	172.67.74.152	true
fp2e7a.wpc.phicdn.net	192.229.211.108	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://159.253.120.145/beer/Zdthsqoc.wav	false	1%, Virustotal, Browse	unknown
http://159.253.120.145/beer/Vxttheubu.mp4	false	0%, Virustotal, Browse	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vRp56pf5a9.exe	Avira: detected
Source: vRp56pf5a9.exe	Avira: detected
Source: vRp56pf5a9.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Avira: detection malicious, Label: TR/AVI.Agent.besyk
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Avira: detection malicious, Label: TR/AVI.Agent.uxixk
Source: C:\Users\user\AppData\Local\cvchost.exe	Avira: detection malicious, Label: TR/AVI.Agent.besyk

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\Users\user\AppData\Local\cvchost.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\cvchost.exe	Virustotal: Detection: 67%	Perma Link

Multi AV Scanner detection for submitted file

Source: vRp56pf5a9.exe	ReversingLabs: Detection: 75%
Source: vRp56pf5a9.exe	Virustotal: Detection: 71%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cvchost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: vRp56pf5a9.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F1530EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,		0_2_00007FF70F1530EC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140047610 CryptUnprotectData,LocalFree,		6_2_0000000140047610

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49709 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49714 version: TLS 1.2

Source: vRp56pf5a9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: vRp56pf5a9.exe
Source:	Binary string: wextract.pdbGCTL source: vRp56pf5a9.exe
Source:	Binary string: Ghcbjyte.pdbx source: MSBuild.exe, 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8967FE000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2493330825.000002D89F610000.00000004.08000000.00040000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Ghcbjyte.pdb source: MSBuild.exe, 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8967FE000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2493330825.000002D89F610000.00000004.08000000.00040000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F15204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00007FF70F15204C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400329C0 FindFirstFileW,FindNextFileW,	6_2_00000001400329C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140094A90 FindClose,FindFirstFileExW,GetLastError,	6_2_0000000140094A90
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140094B40 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	6_2_0000000140094B40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400A94B8 FindFirstFileExW,	6_2_00000001400A94B8

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Code function: 4x nop then jmp 00007FF848F62DF6h	1_2_00007FF848F31D02
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	9_2_060C07B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 060C7242h	9_2_060C7281
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	9_2_060C07B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 060C7242h	9_2_060C730C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 0611AFAAh	9_2_0611AD90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 0611A76Dh	9_2_0611A668
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 0611A76Dh	9_2_0611A6D8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 0611A76Dh	9_2_0611A6E8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 4x nop then jmp 0611AFAAh	9_2_0611AD80
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	11_2_059D07B8
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 059D7242h	11_2_059D7281
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	11_2_059D07B0
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 059D7242h	11_2_059D730C
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 05A2AFAAh	11_2_05A2AD90
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 05A2AFAAh	11_2_05A2AD80
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 05A2A76Dh	11_2_05A2A6E8
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 4x nop then jmp 05A2A76Dh	11_2_05A2A6D8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49713 -> 109.107.181.83:15666
Source: global traffic	TCP traffic: 192.168.2.5:49719 -> 212.224.86.54:58003

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; /Host: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /beer/Zdthsqoc.wav HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 212.224.86.54 212.224.86.54
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49709 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145
Source: unknown	TCP traffic detected without corresponding DNS query: 159.253.120.145

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_0000000140050500 recv,recv,closesocket,WSACleanup,

6_2_0000000140050500

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; /Host: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /beer/Zdthsqoc.wav HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /beer/Vxttheubu.mp4 HTTP/1.1Host: 159.253.120.145Connection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D8867F1000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.0000000003281000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.000000000293C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.253.120.145
Source: responsiibilitylead.exe, 00000009.00000002.3231128972.0000000003281000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.253.120.145/beer/Vxttheubu.mp4
Source: vRp56pf5a9.exe, 00000000.00000003.1963487398.00000194131B7000.00000004.00000020.00020000.00000000.sdmp, vRp56pf5a9.exe, 00000000.00000003.1963397618.0000019414E94000.00000004.00000020.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000000.2501981324.0000000000E82000.00000002.00000001.01000000.0000000A.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe.0.dr, cvchost.exe.9.dr	String found in binary or memory: http://159.253.120.145/beer/Vxttheubu.mp41EGP4CCIIOMuIUm3
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D8867F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.253.120.145/beer/Zdthsqoc.wav
Source: vRp56pf5a9.exe, 00000000.00000003.1963487398.00000194131B7000.00000004.00000020.00020000.00000000.sdmp, vRp56pf5a9.exe, 00000000.00000003.1963397618.0000019414E94000.00000004.00000020.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000000.1964179398.000002D884C32000.00000002.00000001.01000000.00000004.sdmp, responsibilitylead.exe.0.dr	String found in binary or memory: http://159.253.120.145/beer/Zdthsqoc.wav1ac8RgXhHQGMLHirw3jKOBg==
Source: powershell.exe, 00000007.00000002.2625483953.000001D42857B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2589899727.000001D419ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2625483953.000001D4286B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2589899727.000001D418731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D8867F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2589899727.000001D418501000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.4454869281.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.4454869281.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.000000000293C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4359962060.00000000029EB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4359962060.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.4426106035.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.4426106035.0000000002F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2589899727.000001D418731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.2589899727.000001D418501000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: InstallUtil.exe, 00000006.00000002.2605907683.000001D4E3F03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: InstallUtil.exe, 00000006.00000002.2606912771.000001D4E5C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org2
Source: InstallUtil.exe, 00000006.00000002.2605907683.000001D4E3F03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgJ
Source: powershell.exe, 00000007.00000002.2625483953.000001D4286B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2625483953.000001D4286B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2625483953.000001D4286B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.2589899727.000001D418731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000007.00000002.2589899727.000001D419131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2625483953.000001D42857B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2589899727.000001D419ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2625483953.000001D4286B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.0000000003448000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.4454869281.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002D96000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4359962060.00000000029EB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.4426106035.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49714 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

6_2_0000000140051540

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE

Matched rule: Detects zgRAT Author: ditekSHen

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400A9668 NtQuerySystemInformation,		6_2_00000001400A9668
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140058BC0 _Init_thread_header,GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,		6_2_0000000140058BC0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F152C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		0_2_00007FF70F152C54
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F151C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		0_2_00007FF70F151C0C

Detected potential crypto function

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F151D28	0_2_00007FF70F151D28
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F155D90	0_2_00007FF70F155D90
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F1566C4	0_2_00007FF70F1566C4
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F1540C4	0_2_00007FF70F1540C4
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F156CA4	0_2_00007FF70F156CA4
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F152DB4	0_2_00007FF70F152DB4
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F153530	0_2_00007FF70F153530
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F151C0C	0_2_00007FF70F151C0C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140052000	6_2_0000000140052000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006A19F	6_2_000000014006A19F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140037240	6_2_0000000140037240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014005E260	6_2_000000014005E260
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400422B0	6_2_00000001400422B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014004B3F0	6_2_000000014004B3F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014005C4D8	6_2_000000014005C4D8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140051540	6_2_0000000140051540
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014007155C	6_2_000000014007155C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014003D570	6_2_000000014003D570
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014002D710	6_2_000000014002D710
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400388F0	6_2_00000001400388F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140056938	6_2_0000000140056938
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140083934	6_2_0000000140083934
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014007DAFC	6_2_000000014007DAFC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140094B40	6_2_0000000140094B40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140050C80	6_2_0000000140050C80
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140048E40	6_2_0000000140048E40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140055EA0	6_2_0000000140055EA0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140032FB0	6_2_0000000140032FB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014002FFE0	6_2_000000014002FFE0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400060C0	6_2_00000001400060C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006E0D0	6_2_000000014006E0D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140076128	6_2_0000000140076128
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140068140	6_2_0000000140068140
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014002E1BE	6_2_000000014002E1BE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140081254	6_2_0000000140081254
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140076310	6_2_0000000140076310
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014008B330	6_2_000000014008B330
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014007A33C	6_2_000000014007A33C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006E3F0	6_2_000000014006E3F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140077420	6_2_0000000140077420
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140060420	6_2_0000000140060420
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140087498	6_2_0000000140087498
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400764F8	6_2_00000001400764F8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014005B610	6_2_000000014005B610
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014004A640	6_2_000000014004A640
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014007F6C4	6_2_000000014007F6C4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400256D0	6_2_00000001400256D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006870F	6_2_000000014006870F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006D780	6_2_000000014006D780
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400067D0	6_2_00000001400067D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400247F0	6_2_00000001400247F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140085854	6_2_0000000140085854
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140072898	6_2_0000000140072898
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140089904	6_2_0000000140089904
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140081962	6_2_0000000140081962
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140096A10	6_2_0000000140096A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140028A70	6_2_0000000140028A70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006DAB0	6_2_000000014006DAB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140076B40	6_2_0000000140076B40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014004CB60	6_2_000000014004CB60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014009AC28	6_2_000000014009AC28
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140074CB0	6_2_0000000140074CB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140082CBC	6_2_0000000140082CBC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014002DD40	6_2_000000014002DD40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140025D70	6_2_0000000140025D70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014007DD78	6_2_000000014007DD78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140072D90	6_2_0000000140072D90
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140055D93	6_2_0000000140055D93
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006DDC0	6_2_000000014006DDC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014008ADD4	6_2_000000014008ADD4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140054F10	6_2_0000000140054F10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140085FC4	6_2_0000000140085FC4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_00FB648D	9_2_00FB648D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_00FB09F0	9_2_00FB09F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_00FB09E0	9_2_00FB09E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_00FB1788	9_2_00FB1788
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C4F38	9_2_060C4F38
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C7281	9_2_060C7281
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060CF830	9_2_060CF830
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C4108	9_2_060C4108
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060CCCC8	9_2_060CCCC8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C8D11	9_2_060C8D11
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C8D50	9_2_060C8D50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C8D60	9_2_060C8D60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C730C	9_2_060C730C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060C3BB8	9_2_060C3BB8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_060CF821	9_2_060CF821
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BF0D	9_2_0611BF0D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611B59B	9_2_0611B59B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611C58B	9_2_0611C58B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BA9A	9_2_0611BA9A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_06117870	9_2_06117870
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611C0BD	9_2_0611C0BD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BE0D	9_2_0611BE0D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BE23	9_2_0611BE23
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BE7A	9_2_0611BE7A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BC29	9_2_0611BC29
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BC6E	9_2_0611BC6E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BD7A	9_2_0611BD7A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BDB4	9_2_0611BDB4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BDB9	9_2_0611BDB9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BAC7	9_2_0611BAC7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BAEB	9_2_0611BAEB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BB29	9_2_0611BB29
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611BBBA	9_2_0611BBBA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_082FD998	9_2_082FD998
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_082E001C	9_2_082E001C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_082E0040	9_2_082E0040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_082FCDB0	9_2_082FCDB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D1948	10_2_023D1948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D26F8	10_2_023D26F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D26F8	10_2_023D26F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2AAC	10_2_023D2AAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2A8A	10_2_023D2A8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2AF3	10_2_023D2AF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2ADC	10_2_023D2ADC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2AC6	10_2_023D2AC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2B2C	10_2_023D2B2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2B45	10_2_023D2B45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D192C	10_2_023D192C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D1948	10_2_023D1948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D4F70	10_2_023D4F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D3761	10_2_023D3761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D4F60	10_2_023D4F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2470	10_2_023D2470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D2460	10_2_023D2460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D5518	10_2_023D5518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D5510	10_2_023D5510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04C20040	10_2_04C20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04C22BBF	10_2_04C22BBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04C20007	10_2_04C20007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DCF318	10_2_04DCF318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DC0040	10_2_04DC0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD4CF8	10_2_04DD4CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD1528	10_2_04DD1528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD6FA0	10_2_04DD6FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DDA8E7	10_2_04DDA8E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD40E0	10_2_04DD40E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD4428	10_2_04DD4428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD151B	10_2_04DD151B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DD6F91	10_2_04DD6F91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DDD0B7	10_2_04DDD0B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_050FC698	10_2_050FC698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_050FEEB0	10_2_050FEEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_050FACC0	10_2_050FACC0
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_00C00751	11_2_00C00751
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D4108	11_2_059D4108
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D7281	11_2_059D7281
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D4F38	11_2_059D4F38
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D730C	11_2_059D730C
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D8D50	11_2_059D8D50
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D8D60	11_2_059D8D60
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059DCCC8	11_2_059DCCC8
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059DCC48	11_2_059DCC48
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059DF858	11_2_059DF858
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059DF848	11_2_059DF848
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059D3BB8	11_2_059D3BB8
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2C58B	11_2_05A2C58B
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2B59B	11_2_05A2B59B
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BF0D	11_2_05A2BF0D
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2C0BD	11_2_05A2C0BD
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A27870	11_2_05A27870
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BA9A	11_2_05A2BA9A
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BDB4	11_2_05A2BDB4
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BDB9	11_2_05A2BDB9
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BD7A	11_2_05A2BD7A
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BC29	11_2_05A2BC29
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BC6E	11_2_05A2BC6E
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BE23	11_2_05A2BE23
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BE0D	11_2_05A2BE0D
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BE7A	11_2_05A2BE7A
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BBBA	11_2_05A2BBBA
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BB29	11_2_05A2BB29
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BAEB	11_2_05A2BAEB
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A2BAC7	11_2_05A2BAC7
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_0795AD80	11_2_0795AD80
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_0795BF88	11_2_0795BF88
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_079579B0	11_2_079579B0
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_079579E8	11_2_079579E8
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_0795B0A7	11_2_0795B0A7
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_07950006	11_2_07950006
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_07C5D998	11_2_07C5D998
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_07C5CDB0	11_2_07C5CDB0
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_07C40040	11_2_07C40040
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_07C40006	11_2_07C40006

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: String function: 000000014002E190 appears 44 times

PE file contains executable resources (Code or Archives)

Source: vRp56pf5a9.exe

PE file does not import any functions

Source: responsibilitylead.exe.0.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: vRp56pf5a9.exe	Binary or memory string: OriginalFilename vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe, 00000000.00000002.3288434013.00007FF70F15E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe, 00000000.00000003.1963487398.00000194131B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameresponsibilitylead.exeF vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe, 00000000.00000003.1963487398.00000194131B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameresponsiibilitylead.exeH vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe, 00000000.00000003.1963397618.0000019414E94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameresponsibilitylead.exeF vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe, 00000000.00000003.1963397618.0000019414E94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameresponsiibilitylead.exeH vs vRp56pf5a9.exe
Source: vRp56pf5a9.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs vRp56pf5a9.exe

Yara signature match

Source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/10@1/4

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F15473C CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

0_2_00007FF70F15473C

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F151C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

0_2_00007FF70F151C0C

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

0_2_00007FF70F1566C4

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

6_2_0000000140037240

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F155D90 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,

0_2_00007FF70F155D90

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\responsibilitylead.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\090115
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963C270DF6A

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: vRp56pf5a9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: vRp56pf5a9.exe	ReversingLabs: Detection: 75%
Source: vRp56pf5a9.exe	Virustotal: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\vRp56pf5a9.exe "C:\Users\user\Desktop\vRp56pf5a9.exe"
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\cvchost.exe "C:\Users\user\AppData\Local\cvchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\cvchost.exe "C:\Users\user\AppData\Local\cvchost.exe"
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\cvchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: vRp56pf5a9.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vRp56pf5a9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: vRp56pf5a9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: vRp56pf5a9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: vRp56pf5a9.exe
Source:	Binary string: wextract.pdbGCTL source: vRp56pf5a9.exe
Source:	Binary string: Ghcbjyte.pdbx source: MSBuild.exe, 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8967FE000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2493330825.000002D89F610000.00000004.08000000.00040000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Ghcbjyte.pdb source: MSBuild.exe, 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8967FE000.00000004.00000800.00020000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2493330825.000002D89F610000.00000004.08000000.00040000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: responsibilitylead.exe, 00000001.00000002.2489625562.000002D89F100000.00000004.08000000.00040000.00000000.sdmp, responsibilitylead.exe, 00000001.00000002.2480957008.000002D8968D5000.00000004.00000800.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3239995479.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4061666738.0000000004124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4374846623.0000000003FAE000.00000004.00000800.00020000.00000000.sdmp

Source: vRp56pf5a9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vRp56pf5a9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vRp56pf5a9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vRp56pf5a9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vRp56pf5a9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: responsibilitylead.exe.0.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: responsiibilitylead.exe.0.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: 0.3.vRp56pf5a9.exe.194131b8eb0.1.raw.unpack, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: 0.3.vRp56pf5a9.exe.19414e95840.0.raw.unpack, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: 0.3.vRp56pf5a9.exe.194131b76b0.2.raw.unpack, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.responsibilitylead.exe.2d896885728.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.responsibilitylead.exe.2d89f610000.11.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 1.2.responsibilitylead.exe.2d89f100000.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 1.2.responsibilitylead.exe.2d89f100000.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 1.2.responsibilitylead.exe.2d89f100000.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 1.2.responsibilitylead.exe.2d89f100000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 1.2.responsibilitylead.exe.2d89f100000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 13.2.MSBuild.exe.3ee60c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.5f80000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.MSBuild.exe.41460c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.5250000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d89f560000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4443385850.0000000004146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2492795749.000002D89F560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4426106035.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4359962060.00000000029EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4403054375.0000000005250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3231128972.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4052042219.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3274015453.0000000005F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4118162856.000000000295F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3231128972.0000000003448000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4454869281.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: responsibilitylead.exe PID: 6172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: responsiibilitylead.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvchost.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvchost.exe PID: 2504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4464, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: vRp56pf5a9.exe

Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

0_2_00007FF70F151D28

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Code function: 1_2_00007FF848F300BD pushad ; iretd	1_2_00007FF848F300C1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Code function: 1_2_00007FF8491E29D1 push es; retf 0005h	1_2_00007FF8491E29D7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Code function: 1_2_00007FF8491F6277 push eax; ret	1_2_00007FF8491F6278
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Code function: 1_2_00007FF8491F6270 push eax; ret	1_2_00007FF8491F6271
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140050186 push rcx; iretd	6_2_00000001400501A1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501A2 push rcx; iretd	6_2_00000001400501AD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501AE push rcx; iretd	6_2_00000001400501B1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501B6 push rcx; iretd	6_2_00000001400501B9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501B2 push rcx; iretd	6_2_00000001400501B5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501BE push rcx; iretd	6_2_00000001400501C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501BA push rcx; iretd	6_2_00000001400501BD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400501C2 push rcx; iretd	6_2_00000001400501C5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_00FB2140 push es; ret	9_2_00FB2150
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_06112CDA pushad ; retf	9_2_06112D09
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_06115D60 push eax; iretd	9_2_06115D61
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611E367 push es; iretd	9_2_0611E394
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Code function: 9_2_0611E395 push es; iretd	9_2_0611E394
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_023D409A push FFFFFFB8h; ret	10_2_023D40A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DC0DC0 push esp; retn 04D4h	10_2_04DC0E61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DC1BE0 pushad ; retf	10_2_04DC1BE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_04DDB1A0 push eax; retf	10_2_04DDB1A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_050E27A1 push eax; retn 0000h	10_2_050E27A2
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_059DCC17 push esp; retf	11_2_059DCC31
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A25D60 push eax; iretd	11_2_05A25D61
Source: C:\Users\user\AppData\Local\cvchost.exe	Code function: 11_2_05A22CF5 pushad ; retf	11_2_05A22D09

Drops PE files

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	File created: C:\Users\user\AppData\Local\cvchost.exe	Jump to dropped file

Terminates after testing mutex exists (may check infected machine status)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_0000000140048290 OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

6_2_0000000140048290

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

0_2_00007FF70F151684

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cvchost			Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0			Jump to behavior

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cvchost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cvchost	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\cvchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: responsiibilitylead.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvchost.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvchost.exe PID: 2504, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER9SBIEDLL.DLL:SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE;VERSION<SERIALNUMBER>VMWARE\|VIRTUAL\|A M I\|XEN?SELECT * FROM WIN32_COMPUTERSYSTEM@MANUFACTURERAMODELBMICROSOFT\|VMWARE\|VIRTUALCJOHNDANNAEXXXXXXXXNPOWERSHELLOSTART-SLEEP -SECONDS 5; REMOVE-ITEM -PATH 'P' -FORCE
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP
Source: responsiibilitylead.exe, 00000009.00000002.3231128972.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000B.00000002.4052042219.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4118162856.000000000295F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER9SBIEDLL.DLL:SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE;VERSION<SERIALNUMBER>VMWARE\|VIRTUAL\|A M I\|XEN?SELECT * FROM WIN32_COMPUTERSYSTEM@MANUFACTURERAMODELBMICROSOFT\|VMWARE\|VIRTUALCJOHNDANNAEXXXXXXXX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory allocated: 2D884F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory allocated: 2D89E7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory allocated: 15F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory allocated: 5F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory allocated: 6F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 5890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 6890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 5630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: 6630000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2860000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 29D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 49D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1280000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4C30000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 338000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 424000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 349000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 488000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 372000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 462000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 361000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 582000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 359000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 549000	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\cvchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4841	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4975	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Window / User API: threadDelayed 648	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 3402	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 6429	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Window / User API: threadDelayed 640
Source: C:\Users\user\AppData\Local\cvchost.exe	Window / User API: threadDelayed 645

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe TID: 572	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe TID: 572	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe TID: 5044	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe TID: 4956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3180	Thread sleep count: 4841 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5988	Thread sleep count: 4975 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6208	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 2676	Thread sleep count: 247 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 2676	Thread sleep time: -247000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 2676	Thread sleep count: 648 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 2676	Thread sleep time: -648000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 3040	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe TID: 2364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308	Thread sleep count: 3402 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -119750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308	Thread sleep count: 6429 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59757s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -338000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -119782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -119562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59662s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -424000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59758s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59529s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -349000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59771s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59545s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -488000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59885s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59779s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -119344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -372000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59886s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59560s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -462000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59653s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -361000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -582000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59538s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -359000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5348	Thread sleep time: -549000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6660	Thread sleep time: -59547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2748	Thread sleep count: 257 > 30
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2748	Thread sleep time: -257000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2748	Thread sleep count: 640 > 30
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2748	Thread sleep time: -640000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 5884	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 1536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2468	Thread sleep count: 252 > 30
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2468	Thread sleep time: -252000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2468	Thread sleep count: 645 > 30
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 2468	Thread sleep time: -645000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 5836	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\cvchost.exe TID: 6340	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3792	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\cvchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Local\cvchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\cvchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\cvchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F15204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00007FF70F15204C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400329C0 FindFirstFileW,FindNextFileW,	6_2_00000001400329C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140094A90 FindClose,FindFirstFileExW,GetLastError,	6_2_0000000140094A90
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_0000000140094B40 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	6_2_0000000140094B40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_00000001400A94B8 FindFirstFileExW,	6_2_00000001400A94B8

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F1564E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00007FF70F1564E4

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59757	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 338000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59662	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 424000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59758	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59529	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 349000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59771	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59545	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 488000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59885	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 372000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 462000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 361000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 582000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59538	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 359000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 549000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59547	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\cvchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: cvchost.exe, 0000000C.00000002.4118162856.000000000295F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer9SbieDll.dll:select * from Win32_BIOS8Unexpected WMI query failure;version<SerialNumber>VMware\|VIRTUAL\|A M I\|Xen?select * from Win32_ComputerSystem@manufacturerAmodelBMicrosoft\|VMWare\|VirtualCjohnDannaExxxxxxxx
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtualhs
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: crosoft\|VMWare\|Virtual
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUH
Source: cvchost.exe, 0000000B.00000002.4045702858.0000000000E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: MSBuild.exe, 0000000A.00000002.4475845275.00000000051A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: cvchost.exe, 0000000B.00000002.4052042219.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|VirtualH
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR]q8jY
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2606912771.000001D4E5C7B000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2606912771.000001D4E5CA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cvchost.exe, 0000000C.00000002.4118162856.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR]q
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: responsiibilitylead.exe, 00000009.00000002.3231128972.000000000357E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: responsibilitylead.exe, 00000001.00000002.2479612187.000002D884D97000.00000004.00000020.00020000.00000000.sdmp, responsiibilitylead.exe, 00000009.00000002.3225039212.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, cvchost.exe, 0000000C.00000002.4109924506.0000000000977000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: responsibilitylead.exe, 00000001.00000002.2479963304.000002D886831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer9SbieDll.dll:select * from Win32_BIOS8Unexpected WMI query failure;version<SerialNumber>VMware\|VIRTUAL\|A M I\|Xen?select * from Win32_ComputerSystem@manufacturerAmodelBMicrosoft\|VMWare\|VirtualCjohnDannaExxxxxxxxNpowershellOStart-Sleep -Seconds 5; Remove-Item -Path 'P' -Force

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe

Code function: 9_2_060C07B8 CheckRemoteDebuggerPresent,

9_2_060C07B8

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\cvchost.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_00000001400961B8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_00000001400961B8

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_00000001400961B8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_00000001400961B8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

0_2_00007FF70F151D28

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_000000014008409C GetProcessHeap,

6_2_000000014008409C

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F158494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF70F158494
Source: C:\Users\user\Desktop\vRp56pf5a9.exe	Code function: 0_2_00007FF70F158790 SetUnhandledExceptionFilter,	0_2_00007FF70F158790
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014008E8D0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_000000014008E8D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: 6_2_000000014006FC14 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_000000014006FC14

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

6_2_00000001400479D0

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A840575A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetInformationThread: Direct from: 0x7FF8A85DCC90	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtOpenKey: Direct from: 0x7FF8A8AEC540	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetContextThread: Direct from: 0x7FF849247266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAdjustPrivilegesToken: Direct from: 0x7FF8A63B1BEC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtQueryValueKey: Direct from: 0x7FF8A7444413	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtCreateFile: Direct from: 0x7FF8A8AEC8FD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetInformationThread: Direct from: 0x7FF8A8AEC9BA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtDeviceIoControlFile: Direct from: 0x7FF8A63B80D9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtClose: Direct from: 0x7FF8A744713F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtUnmapViewOfSection: Direct from: 0x7FF8492477C6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetInformationProcess: Direct from: 0x7FF8A845FF6B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtDelayExecution: Direct from: 0x7FF8C88A26A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtDeviceIoControlFile: Direct from: 0x7FF8A63B831F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtWriteVirtualMemory: Direct from: 0x7FF849248040	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtCreateThreadEx: Direct from: 0x7FF8A8498EE0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A63B3FE6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtClose: Direct from: 0x7FF8A841FAC5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtClose: Direct from: 0x7FF8A84979FF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtQueryAttributesFile: Direct from: 0x7FF8A8AEC64D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAllocateVirtualMemory: Direct from: 0x7FF849246DD9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtOpenKeyEx: Direct from: 0x7FF8A84D87B7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtDelayExecution: Direct from: 0x7FF8A8405073	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetInformationProcess: Direct from: 0x7FF8A845FF46	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtQuerySystemInformation: Direct from: 0x7FF8A84253EE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtCreateFile: Direct from: 0x7FF8A8AEC113	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A8AEC510	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtSetInformationThread: Direct from: 0x7FF8A8AEC5CC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtClose: Direct from: 0x7FF8A8AEC997
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtResumeThread: Direct from: 0x7FF849248291	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtMapViewOfSection: Direct from: 0x7FF8A84FA7F5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtWriteFile: Direct from: 0x7FF8A8AEC978	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A846E5EF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtQueryAttributesFile: Direct from: 0x7FF8A84DBC4A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtClose: Direct from: 0x7FF8492464E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtQuerySystemInformation: Direct from: 0x7FF8A8498FF3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	NtResumeThread: Direct from: 0x7FF8A8498CF6	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140000000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 500000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

Thread register set: target process: 2072

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400A9000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400CC000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400D1000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400D7000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400D8000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 1400D9000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 761E03F010	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 500000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 502000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 5A8000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 5AA000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 286008	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4A8000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4AA000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9C2008
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4A8000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4AA000
Source: C:\Users\user\AppData\Local\cvchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A29008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\cvchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F1511CC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_00007FF70F1511CC

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_000000014008D830 cpuid

6_2_000000014008D830

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_000000014008813C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0000000140088294
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_00000001400A9330
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_0000000140088344
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_0000000140088470
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	6_2_000000014007B594
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoEx,FormatMessageA,	6_2_0000000140094754
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_0000000140087A3C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	6_2_000000014007BAD8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	6_2_0000000140087D88
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	6_2_0000000140087E58
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0000000140087EF0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Users\user\AppData\Local\cvchost.exe VolumeInformation
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Users\user\AppData\Local\cvchost.exe VolumeInformation
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\cvchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation

Queries time zone information

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F158964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF70F158964

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_0000000140051C00 GetUserNameW,

6_2_0000000140051C00

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Code function: 6_2_000000014007DAFC _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

6_2_000000014007DAFC

Source: C:\Users\user\Desktop\vRp56pf5a9.exe

Code function: 0_2_00007FF70F152C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

0_2_00007FF70F152C54

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: InstallUtil.exe PID: 2072, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.responsiibilitylead.exe.47ab768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.cvchost.exe.3e7b788.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e51dd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896ec9e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4919818.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.5080000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d897329ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4941838.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.cvchost.exe.3e7b788.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3c86a68.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e79e08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d89f270000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3d06a88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3c86a68.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3d06a88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.5080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e51dd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.71f0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e79e08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d897329ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.71f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d89f270000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896ec9e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4919818.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4941838.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4352491504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4129887530.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2490796351.000002D89F270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2480957008.000002D897329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3277597286.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2480957008.000002D896BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3239995479.00000000047AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum\wallets
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: InstallUtil.exe, 00000006.00000002.2605081121.000001D4E3E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: responsibilitylead.exe, 00000001.00000002.2490796351.000002D89F270000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: InstallUtil.exe PID: 2072, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.responsiibilitylead.exe.47ab768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.cvchost.exe.3e7b788.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e51dd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896ec9e40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4919818.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.5080000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d897329ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4941838.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.cvchost.exe.3e7b788.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3c86a68.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e79e08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d89f270000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3d06a88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3c86a68.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3d06a88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.5080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e51dd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.3e06aa8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.71f0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896e79e08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d897329ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.71f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d89f270000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.responsibilitylead.exe.2d896ec9e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4919818.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.responsiibilitylead.exe.4941838.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4352491504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4129887530.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4398283617.0000000005080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2490796351.000002D89F270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2480957008.000002D897329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4374846623.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3277597286.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4374846623.0000000003C2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2480957008.000002D896BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3239995479.00000000047AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 9.2.responsiibilitylead.exe.47ab768.2.raw.unpack, type: UNPACKEDPE

Windows Analysis Report
vRp56pf5a9.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1426786
Product:	CloudBasic
Start time:	16:10:04
Start date:	16.04.2024
Sample:	vRp56pf5a9.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5790d1417f8f00bd7ec6fb7011c79d9c
SHA1:	36076ed9457c45d94e664ea291eb01e5c70d084b
SHA256:	ad07503bc046f5b3d65eb61646fa826bc39560916c6e1ef2c3437b6465b30a82
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\responsibilitylead.exe.log	CSV text	7CA1A5BB60569A088CFF49059926AED8	C6776D1FE6DD53BAE1259057A921554CFA582B94	EC8A220B6B514C0AE5231F15926D1B25A88A3E713E1B7D475226B2655504578C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log	CSV text	9CCD52F7E666DC3225FA8A6D9120C198	35571A48C9F29765D69EFD69D95669B1A180BBD9	965053376DFF2CDD816C41292E23666E3456504A75254130D620C3C5BB94949D
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cvchost.exe.log	ASCII text, with CRLF line terminators	9245D58BE3531FC74BB38D4B62A6FF91	A4691F5538E017F8BDA9044E90FAE74D383046AC	94FD95570644A13BB46B9BC97AF1DF28F54DF62B6129C75BF7F35F81467E2A07
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\responsiibilitylead.exe.log	ASCII text, with CRLF line terminators	9245D58BE3531FC74BB38D4B62A6FF91	A4691F5538E017F8BDA9044E90FAE74D383046AC	94FD95570644A13BB46B9BC97AF1DF28F54DF62B6129C75BF7F35F81467E2A07
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	6442F277E58B3984BA5EEE0C15C0C6AD	5343ADC2E7F102EC8FB6A101508730898CB14F57	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	F7930C4859CCD34BD2B80A9995F49926	8B5B95FB51619E20246F90D60F2137DA7654FC5E	163969EBEE8180E125EB00C02307ADDA1EB31174BA6F7E011B7B4B3441D8950A
C:\Users\user\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A0C8B99E0780C3E8F8319F5EC3ABF9F4	561A59A4D6AF134797B2E2907590EFEE9E519CA3	4588AD64C432D7A20BA41949327BE873C25F7EAA0CBBA71B3435463739510035
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vl5rssp.bxl.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5df3vzno.4no.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\cvchost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A0C8B99E0780C3E8F8319F5EC3ABF9F4	561A59A4D6AF134797B2E2907590EFEE9E519CA3	4588AD64C432D7A20BA41949327BE873C25F7EAA0CBBA71B3435463739510035

Windows Analysis Report vRp56pf5a9.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
vRp56pf5a9.exe

Malware Threat Intel
Provided by