Loading ...

Play interactive tourEdit tour

Analysis Report EUXgI429a8.exe

Overview

General Information

Sample Name:EUXgI429a8.exe
MD5:9cc3e7338367e866e6145f12b86bc86d
SHA1:935f96b127b1da49b8e5523df9a6d9c1e196fe5a
SHA256:65310d8eb88574b37c3d5715c6eee910f2549099b512deb0ba9403c290f16340

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: MSBuild connects to smtp port
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • EUXgI429a8.exe (PID: 4460 cmdline: 'C:\Users\user\Desktop\EUXgI429a8.exe' MD5: 9CC3E7338367E866E6145F12B86BC86D)
    • schtasks.exe (PID: 4076 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yDmDsafSRKqC' /XML 'C:\Users\user\AppData\Local\Temp\tmp6178.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 2300 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
      • netsh.exe (PID: 4900 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0AujVmrTTi", "URL: ": "https://D03u0ue3jVYwV1.com", "To: ": "sales01@seedwellresources.xyz", "ByHost: ": "smtp.privateemail.com:5878", "Password: ": "A02dPNdoZq5T6", "From: ": "sales01@seedwellresources.xyz"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1838085529.0000000002F00000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.1838085529.0000000002F00000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.1835740175.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.829368627.00000000045B0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: EUXgI429a8.exe PID: 4460JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: {path}, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 2300, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 4900
              Sigma detected: MSBuild connects to smtp portShow sources
              Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 199.193.7.228, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 2300, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49748
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yDmDsafSRKqC' /XML 'C:\Users\user\AppData\Local\Temp\tmp6178.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yDmDsafSRKqC' /XML 'C:\Users\user\AppData\Local\Temp\tmp6178.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\EUXgI429a8.exe' , ParentImage: C:\Users\user\Desktop\EUXgI429a8.exe, ParentProcessId: 4460, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yDmDsafSRKqC' /XML 'C:\Users\user\AppData\Local\Temp\tmp6178.tmp', ProcessId: 4076

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: EUXgI429a8.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\yDmDsafSRKqC.exeAvira: detection malicious, Label: HEUR/AGEN.1044426
              Found malware configurationShow sources
              Source: MSBuild.exe.2300.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0AujVmrTTi", "URL: ": "https://D03u0ue3jVYwV1.com", "To: ": "sales01@seedwellresources.xyz", "ByHost: ": "smtp.privateemail.com:5878", "Password: ": "A02dPNdoZq5T6", "From: ": "sales01@seedwellresources.xyz"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\yDmDsafSRKqC.exeVirustotal: Detection: 34%Perma Link
              Source: C:\Users\user\AppData\Roaming\yDmDsafSRKqC.exeMetadefender: Detection: 21%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: EUXgI429a8.exeVirustotal: Detection: 34%Perma Link
              Source: EUXgI429a8.exeMetadefender: Detection: 21%Perma Link
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\yDmDsafSRKqC.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: EUXgI429a8.exeJoe Sandbox ML: detected
              Source: 4.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: global trafficTCP traffic: 192.168.2.5:49748 -> 199.193.7.228:587
              Source: Joe Sandbox ViewIP Address: 199.193.7.228 199.193.7.228
              Source: global trafficTCP traffic: 192.168.2.5:49748 -> 199.193.7.228:587
              Source: unknownDNS traffic detected: queries for: smtp.privateemail.com
              Source: MSBuild.exe, 00000004.00000002.1841576784.0000000006396000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: MSBuild.exe, 00000004.00000002.1841576784.0000000006396000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: EUXgI429a8.exe, 00000000.00000002.828467467.0000000003410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: MSBuild.exe, 00000004.00000002.1838788868.00000000030F3000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: EUXgI429a8.exe, 00000000.00000002.832313179.0000000006286000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: MSBuild.exe, 00000004.00000002.1838085529.0000000002F00000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.1838788868.00000000030F3000.00000004.00000001.sdmpString found in binary or memory: https://D03u0ue3jVYwV1.com
              Source: MSBuild.exe, 00000004.00000002.1838085529.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: https://D03u0ue3jVYwV1.com8RM
              Source: MSBuild.exe, 00000004.00000002.1841576784.0000000006396000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\EUXgI429a8.exeCode function: 0_2_0149C6D40_2_0149C6D4
              Source: C:\Users\user\Desktop\EUXgI429a8.exeCode function: 0_2_0149EA280_2_0149EA28
              Source: C:\Users\user\Desktop\EUXgI429a8.exeCode function: 0_2_0149EA380_2_0149EA38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_012259A04_2_012259A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_012210604_2_01221060
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_012215604_2_01221560
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_012284784_2_01228478
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_012204484_2_01220448
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01222CE04_2_01222CE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_012207904_2_01220790
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01227E414_2_01227E41
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_012249354_2_01224935
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_012249C44_2_012249C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01222CE04_2_01222CE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224B364_2_01224B36
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01223B434_2_01223B43
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224B804_2_01224B80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224BCA4_2_01224BCA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224A0E4_2_01224A0E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224A584_2_01224A58
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224AA24_2_01224AA2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01223AB54_2_01223AB5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224AEC4_2_01224AEC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_012215504_2_01221550
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_012245F84_2_012245F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224C144_2_01224C14
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224C5E4_2_01224C5E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01223CA64_2_01223CA6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224CA84_2_01224CA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01224CF24_2_01224CF2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B45204_2_055B4520
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B15E04_2_055B15E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B51E84_2_055B51E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B11A84_2_055B11A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B89784_2_055B8978
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B15D34_2_055B15D3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B443B4_2_055B443B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B561B4_2_055B561B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B119B4_2_055B119B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B90D54_2_055B90D5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B8D724_2_055B8D72
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B8DED4_2_055B8DED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B89694_2_055B8969
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650B3484_2_0650B348
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065023704_2_06502370
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06507E804_2_06507E80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06508F684_2_06508F68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650EB604_2_0650EB60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065009B04_2_065009B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065066194_2_06506619
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650A6194_2_0650A619
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065066284_2_06506628
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065046C04_2_065046C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065047B14_2_065047B1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065097B94_2_065097B9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065014004_2_06501400
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065074B04_2_065074B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065074A14_2_065074A1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650D5904_2_0650D590
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650D5A04_2_0650D5A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065062614_2_06506261
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065023604_2_06502360
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065013F14_2_065013F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065023E34_2_065023E3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_065000404_2_06500040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650AF604_2_0650AF60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06506FB94_2_06506FB9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06506C0A4_2_06506C0A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06509C224_2_06509C22
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650DCF84_2_0650DCF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650DCEA4_2_0650DCEA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06509C884_2_06509C88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06505CBC4_2_06505CBC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06506D644_2_06506D64
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06505AE04_2_06505AE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650EB524_2_0650EB52
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06508BA04_2_06508BA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0669A7284_2_0669A728
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0669DC484_2_0669DC48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0669CCE84_2_0669CCE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0669BCA84_2_0669BCA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0669C8804_2_0669C880
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0669319E4_2_0669319E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0669E4584_2_0669E458
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0669D2D04_2_0669D2D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 06503D38 appears 36 times
              Source: EUXgI429a8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: yDmDsafSRKqC.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: EUXgI429a8.exe, 00000000.00000002.828467467.0000000003410000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXysqODDSSXAEUXycjbNvzmZTlbA.exe4 vs EUXgI429a8.exe
              Source: EUXgI429a8.exe, 00000000.00000002.826078479.0000000000EC0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelZXwnJCLOmsGRiqxXT.exe* vs EUXgI429a8.exe
              Source: EUXgI429a8.exe, 00000000.00000002.835582975.0000000009670000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs EUXgI429a8.exe
              Source: EUXgI429a8.exe, 00000000.00000002.828665338.0000000003480000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreEntity.dll6 vs EUXgI429a8.exe
              Source: EUXgI429a8.exe, 00000000.00000002.835947719.0000000009760000.00000002.00000001.sdmpBinary or memory string: originalfilename vs EUXgI429a8.exe
              Source: EUXgI429a8.exe, 00000000.00000002.835947719.0000000009760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs EUXgI429a8.exe
              Source: EUXgI429a8.exe, 00000000.00000002.834493410.0000000007680000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs EUXgI429a8.exe
              Source: EUXgI429a8.exeBinary or memory string: OriginalFilenamelZXwnJCLOmsGRiqxXT.exe* vs EUXgI429a8.exe
              Source: EUXgI429a8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: yDmDsafSRKqC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: EUXgI429a8.exe, u0005u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: yDmDsafSRKqC.exe.0.dr, u0005u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.EUXgI429a8.exe.e50000.0.unpack, u0005u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.0.EUXgI429a8.exe.e50000.0.unpack, u0005u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/4@1/1
              Source: C:\Users\user\Desktop\EUXgI429a8.exeFile created: C:\Users\user\AppData\Roaming\yDmDsafSRKqC.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2396:120:WilError_01
              Source: C:\Users\user\Desktop\EUXgI429a8.exeMutant created: \Sessions\1\BaseNamedObjects\oqEYqmUIwaiDTcYBP
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_01
              Source: C:\Users\user\Desktop\EUXgI429a8.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6178.tmpJump to behavior
              Source: EUXgI429a8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\EUXgI429a8.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\EUXgI429a8.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: EUXgI429a8.exeVirustotal: Detection: 34%
              Source: EUXgI429a8.exeMetadefender: Detection: 21%
              Source: C:\Users\user\Desktop\EUXgI429a8.exeFile read: C:\Users\user\Desktop\EUXgI429a8.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\EUXgI429a8.exe 'C:\Users\user\Desktop\EUXgI429a8.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yDmDsafSRKqC' /XML 'C:\Users\user\AppData\Local\Temp\tmp6178.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yDmDsafSRKqC' /XML 'C:\Users\user\AppData\Local\Temp\tmp6178.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: EUXgI429a8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: EUXgI429a8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: CoreEntity.pdb source: EUXgI429a8.exe, 00000000.00000002.828665338.0000000003480000.00000004.00000001.sdmp

              Source: C:\Users\user\Desktop\EUXgI429a8.exeCode function: 0_2_00E58B30 push eax; ret 0_2_00E58B31
              Source: C:\Users\user\Desktop\EUXgI429a8.exeCode function: 0_2_00E5819C push eax; ret 0_2_00E5819D
              Source: C:\Users\user\Desktop\EUXgI429a8.exeCode function: 0_2_058607F0 push ecx; ret 0_2_05860805
              Source: C:\Users\user\Desktop\EUXgI429a8.exeCode function: 0_2_0586C33B push E005853Eh; retf 0_2_0586C345
              Source: C:\Users\user\Desktop\EUXgI429a8.exeCode function: 0_2_05868FF8 push eax; mov dword ptr [esp], ecx0_2_05868FFC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01227D90 push es; ret 4_2_01227DA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0122DC9F push edi; retn 0000h4_2_0122DCA1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_055B1198 pushad ; iretd 4_2_055B119A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650C66F pushad ; retf 0008h4_2_0650C670
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650C401 push es; iretd 4_2_0650C418
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650A9F6 push es; iretd 4_2_0650A9F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0650A986 push es; ret 4_2_0650A990
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06696EA7 push ebx; ret 4_2_06696EAA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_06693B75 push 8B000003h; iretd 4_2_06693B7C
              Source: initial sampleStatic PE information: section name: .text entropy: 7.92473951703
              Source: initial sampleStatic PE information: section name: .text entropy: 7.92473951703

              Source: C:\Users\user\Desktop\EUXgI429a8.exeFile created: C:\Users\user\AppData\Roaming\yDmDsafSRKqC.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yDmDsafSRKqC' /XML 'C:\Users\user\AppData\Local\Temp\tmp6178.tmp'

              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\EUXgI429a8.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2072Jump to behavior
              Source: C:\Users\user\Desktop\EUXgI429a8.exe TID: 4496Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 896Thread sleep count: 101 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 896Thread sleep count: 2072 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -86109s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -56876s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -85032s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -55282s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -80532s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -77859s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -51688s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -50782s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -50594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -50282s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -75141s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -74109s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -72423s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -47876s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -70782s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -70032s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -116250s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -46000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -45782s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -91188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -68064s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -45188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -44688s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -44470s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -44282s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -44000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -63282s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -41782s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -61641s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -40156s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -38594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -57141s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -36188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -52500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -33500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -33094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -48141s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -30876s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -43032s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -32391s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -119624s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -88968s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -58406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -115624s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -86391s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -56906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -55656s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -55156s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -54718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -54500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -54218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -53312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -53094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -79359s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -79077s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -78609s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -50968s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -49218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -48374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -96188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -71859s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -71391s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -47374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -46812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -46280s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -45780s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -44374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -43968s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -65061s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -63561s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -84000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -62343s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -40406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -39656s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -39374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -39156s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -38780s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -38468s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -37718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -37562s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -37280s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -36812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -35750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -34968s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -34218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -47859s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -31406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -30218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -30062s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -38109s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -37359s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -33750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -89109s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -57968s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -83718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -55218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -54906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -81609s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -54156s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -53718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -52218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -76968s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -50812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -99812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -49092s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -73218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -48592s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -48092s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -94812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -46718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -69468s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -45812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -45374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -45218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -45000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -87624s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -64359s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -42592s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -41000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -40468s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -80000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -79000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -39312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -58452s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -56250s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -36780s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -36592s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -35186s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -34280s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -33906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -33062s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -32374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -32186s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -31280s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -30374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -39750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -36750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -59780s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -58874s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -58686s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -57562s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -56874s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -56374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -56186s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -140000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -54874s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -54374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1260Thread sleep time: -53186s >= -30000sJump to behavior
              Source: C:\Windows<