Windows Analysis Report
Mu7iyblZk8.exe

Overview

General Information

Sample name: Mu7iyblZk8.exe
renamed because original name is a hash value
Original sample name: efdac8eafdf875de010fe0a6980aad44b547c2a74430c185a28d67e98168c4b3.exe
Analysis ID: 1483418
MD5: 74f11a170c0a518ce076ae43f70a7c06
SHA1: 86cafa195ca0905f79a4e877c13ad0c7ced257e5
SHA256: efdac8eafdf875de010fe0a6980aad44b547c2a74430c185a28d67e98168c4b3
Tags: exeinvestdirectinsurance-com
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Sigma detected: Silenttrinity Stager Msbuild Activity
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WareHouse.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Virustotal: Detection: 24% Perma Link
Multi AV Scanner detection for submitted file
Source: Mu7iyblZk8.exe Virustotal: Detection: 24% Perma Link
Source: Mu7iyblZk8.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: unknown HTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.9:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49704 version: TLS 1.2
Source: Mu7iyblZk8.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\User\Desktop\Outputs\Omboxaav.pdb source: Mu7iyblZk8.exe, WareHouse.exe.0.dr
Source: Binary string: C:\Users\User\Desktop\Outputs\Omboxaav.pdbP source: Mu7iyblZk8.exe, WareHouse.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0261A85Ch 3_2_0261A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0261A86Fh 3_2_0261A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 04E67D24h 3_2_04E67988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 3_2_04E6AA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 3_2_04E62984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 3_2_04E62990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ecx, dword ptr [ebp-000000C4h] 3_2_04E69902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 3_2_05B8F7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then inc dword ptr [ebp-1Ch] 3_2_05B80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0128CD4Ch 11_2_0128CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0128CD5Fh 11_2_0128CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 05E104F2h 11_2_05E10440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 05E104F2h 11_2_05E10448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov eax, dword ptr [ebp-28h] 11_2_05E1DA67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 11_2_06655519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 11_2_0665B5B1
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49709 -> 45.94.31.188:1237
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Miox.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Miox.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 45.94.31.188
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Code function: 0_2_00007FF886E1166F InternetReadFile, 0_2_00007FF886E1166F
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Miox.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Miox.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: investdirectinsurance.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: MSBuild.exe, 00000003.00000002.3816380121.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WareHouse.exe.0.dr String found in binary or memory: https://collection.hubanalytics.io/
Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3816380121.0000000002814000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3813836224.0000000000429000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: WareHouse.exe, 0000000A.00000002.1466432583.000000001BBCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://investdirectinsurance.com/
Source: WareHouse.exe, 0000000A.00000002.1466432583.000000001BBB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://investdirectinsurance.com/7f)
Source: WareHouse.exe, 0000000A.00000002.1464504535.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, WareHouse.exe, 0000000A.00000002.1465533364.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp, Mu7iyblZk8.exe, WareHouse.exe.0.dr String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Miox.bd
Source: Mu7iyblZk8.exe, 00000000.00000002.1410420003.000000001BC61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Miox.bdY
Source: Mu7iyblZk8.exe, WareHouse.exe.0.dr String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd
Source: Mu7iyblZk8.exe, 00000000.00000002.1404302143.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd~
Source: WareHouse.exe, 0000000A.00000002.1466432583.000000001BBB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://investdirectinsurance.com/sf
Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3816380121.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3813836224.0000000000429000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/json
Source: MSBuild.exe, 00000003.00000002.3816380121.0000000002814000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3816272759.0000000002C14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/missingauth
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.9:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49704 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261B72C NtWow64QueryInformationProcess64, 3_2_0261B72C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261B738 NtWow64ReadVirtualMemory64, 3_2_0261B738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261D0A8 NtWow64ReadVirtualMemory64, 3_2_0261D0A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261CD99 NtWow64QueryInformationProcess64, 3_2_0261CD99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128C560 NtWow64QueryInformationProcess64, 11_2_0128C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128C750 NtWow64ReadVirtualMemory64, 11_2_0128C750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128C55A NtWow64QueryInformationProcess64, 11_2_0128C55A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128C748 NtWow64ReadVirtualMemory64, 11_2_0128C748
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261B2B8 3_2_0261B2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_02619662 3_2_02619662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261BE80 3_2_0261BE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_02618FF9 3_2_02618FF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_02613320 3_2_02613320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261DBD0 3_2_0261DBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_02612043 3_2_02612043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E570D8 3_2_04E570D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E5206A 3_2_04E5206A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E562A8 3_2_04E562A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E55BA0 3_2_04E55BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E684A0 3_2_04E684A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E6B470 3_2_04E6B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E6A610 3_2_04E6A610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E65758 3_2_04E65758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E660E0 3_2_04E660E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E62098 3_2_04E62098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E63250 3_2_04E63250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E62C08 3_2_04E62C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E6CDD8 3_2_04E6CDD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E65D68 3_2_04E65D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E61818 3_2_04E61818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E609A0 3_2_04E609A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E67988 3_2_04E67988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E6AA60 3_2_04E6AA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E63A48 3_2_04E63A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E66A50 3_2_04E66A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E64A58 3_2_04E64A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E645D8 3_2_04E645D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E645A0 3_2_04E645A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E62088 3_2_04E62088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E691D8 3_2_04E691D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E60991 3_2_04E60991
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E67978 3_2_04E67978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E66A40 3_2_04E66A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E63A39 3_2_04E63A39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_04E62BF9 3_2_04E62BF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B3E160 3_2_05B3E160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B3B498 3_2_05B3B498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B3EAE8 3_2_05B3EAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B3A0D0 3_2_05B3A0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B39430 3_2_05B39430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B35867 3_2_05B35867
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B37AB0 3_2_05B37AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B87428 3_2_05B87428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B86020 3_2_05B86020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B872B0 3_2_05B872B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B89AF8 3_2_05B89AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B8BA18 3_2_05B8BA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B84594 3_2_05B84594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B8CD32 3_2_05B8CD32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B8CD40 3_2_05B8CD40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B898D8 3_2_05B898D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B8CCDB 3_2_05B8CCDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B86010 3_2_05B86010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B80040 3_2_05B80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B8BF70 3_2_05B8BF70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B8BF61 3_2_05B8BF61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B89AE8 3_2_05B89AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B85238 3_2_05B85238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05B8A4D0 3_2_05B8A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128E968 11_2_0128E968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_01282043 11_2_01282043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128B2C1 11_2_0128B2C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_012897E0 11_2_012897E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_01288FF9 11_2_01288FF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128CE0F 11_2_0128CE0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128E960 11_2_0128E960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128332E 11_2_0128332E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05DE5C90 11_2_05DE5C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05DEEB08 11_2_05DEEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05DE7AC0 11_2_05DE7AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05DEA053 11_2_05DEA053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05DE138D 11_2_05DE138D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E14770 11_2_05E14770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E16C20 11_2_05E16C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E10BC8 11_2_05E10BC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E12BA8 11_2_05E12BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E12BB8 11_2_05E12BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E177A0 11_2_05E177A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E17790 11_2_05E17790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E11040 11_2_05E11040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E11030 11_2_05E11030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E138D0 11_2_05E138D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E13B00 11_2_05E13B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E13AF0 11_2_05E13AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E51410 11_2_05E51410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E57988 11_2_05E57988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E53AA0 11_2_05E53AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E55A90 11_2_05E55A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E549C8 11_2_05E549C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E50040 11_2_05E50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0665C228 11_2_0665C228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0665AF78 11_2_0665AF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0665B5B1 11_2_0665B5B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_06651588 11_2_06651588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_06651AE0 11_2_06651AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_06651ADA 11_2_06651ADA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_06652AA8 11_2_06652AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0665B289 11_2_0665B289
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_06652A98 11_2_06652A98
Sample file is different than original file name gathered from version info
Source: Mu7iyblZk8.exe, 00000000.00000002.1406837026.000000001B580000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamegh2q.dll4 vs Mu7iyblZk8.exe
Source: Mu7iyblZk8.exe, 00000000.00000002.1404731900.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegh2q.dll4 vs Mu7iyblZk8.exe
Source: Mu7iyblZk8.exe, 00000000.00000002.1404731900.0000000002C81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStyxStealer.exe8 vs Mu7iyblZk8.exe
Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStyxStealer.exe8 vs Mu7iyblZk8.exe
Source: classification engine Classification label: mal100.spyw.evad.winEXE@19/10@2/3
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Victim_SID[1].bd Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: Mu7iyblZk8.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Mu7iyblZk8.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Mu7iyblZk8.exe Virustotal: Detection: 24%
Source: Mu7iyblZk8.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe File read: C:\Users\user\Desktop\Mu7iyblZk8.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Mu7iyblZk8.exe "C:\Users\user\Desktop\Mu7iyblZk8.exe"
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\WareHouse.exe C:\Users\user\AppData\Roaming\WareHouse.exe
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Mu7iyblZk8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Mu7iyblZk8.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Mu7iyblZk8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\User\Desktop\Outputs\Omboxaav.pdb source: Mu7iyblZk8.exe, WareHouse.exe.0.dr
Source: Binary string: C:\Users\User\Desktop\Outputs\Omboxaav.pdbP source: Mu7iyblZk8.exe, WareHouse.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Mu7iyblZk8.exe, PreventFromWeb.cs .Net Code: FOBDesusertion System.Reflection.Assembly.Load(byte[])
Source: WareHouse.exe.0.dr, PreventFromWeb.cs .Net Code: FOBDesusertion System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Code function: 0_2_00007FF886E18167 push ebx; ret 0_2_00007FF886E1816A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261F109 push eax; mov dword ptr [esp], ecx 3_2_0261F11C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261F448 push eax; mov dword ptr [esp], ecx 3_2_0261F45C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261D4A8 push eax; mov dword ptr [esp], ecx 3_2_0261D4BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261D581 push eax; mov dword ptr [esp], ecx 3_2_0261D594
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Code function: 10_2_00007FF886E28167 push ebx; ret 10_2_00007FF886E2816A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128C8CA push eax; ret 11_2_0128C8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128C8D2 push eax; mov dword ptr [esp], ecx 11_2_0128C8DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128E5F8 push eax; mov dword ptr [esp], ecx 11_2_0128E60C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_0128E78A push eax; mov dword ptr [esp], ecx 11_2_0128E79C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05DEB081 push 4005E06Ah; ret 11_2_05DEB08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 11_2_05E13E98 push eax; ret 11_2_05E13E9D
Drops PE files
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe File created: C:\Users\user\AppData\Roaming\WareHouse.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D6E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818DA04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D6C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818DAA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D0E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818E654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D3C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D2E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D7A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D664
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818F3F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818F314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FF90818D1A4
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Memory allocated: 2A80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Memory allocated: 1AC80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2610000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 27E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 47E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Memory allocated: 1190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Memory allocated: 1ACC0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1280000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2BE0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4BE0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Window / User API: threadDelayed 615 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 3912 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 5633 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 3776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 5913
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe TID: 7820 Thread sleep count: 615 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe TID: 7824 Thread sleep count: 97 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe TID: 7620 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7976 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7976 Thread sleep time: -31359464925306218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7980 Thread sleep count: 3912 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7980 Thread sleep count: 5633 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7988 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008 Thread sleep count: 150 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe TID: 8096 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4020 Thread sleep count: 47 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4020 Thread sleep time: -43349848573217419s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4292 Thread sleep count: 3776 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4292 Thread sleep count: 5913 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4580 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4244 Thread sleep count: 58 > 30
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: Mu7iyblZk8.exe, 00000000.00000002.1410420003.000000001BC28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWv
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: Mu7iyblZk8.exe, 00000000.00000002.1410420003.000000001BC28000.00000004.00000020.00020000.00000000.sdmp, Mu7iyblZk8.exe, 00000000.00000002.1404302143.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, WareHouse.exe, 0000000A.00000002.1464504535.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, WareHouse.exe, 0000000A.00000002.1466432583.000000001BBCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: MSBuild.exe, 00000003.00000002.3814383672.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3814384925.0000000001027000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3862598704.0000000007570000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: MSBuild.exe, 00000003.00000002.3837160746.0000000003815000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: MSBuild.exe, 00000003.00000002.3845308385.0000000006690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0261D238 LdrInitializeThunk, 3_2_0261D238
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, ParentProcessUtil.cs Reference to suspicious API methods: NativeMethods.OpenProcess(PROCESS_QUERY_INFORMATION, bInheritHandle: false, (uint)id)
Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, FireFoxDecryptor.cs Reference to suspicious API methods: KernelLoadLibrary64(GeckoResourcePath + "nss3.dll")
Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, FireFoxDecryptor.cs Reference to suspicious API methods: HeavensGate.GetProcAddress64(NSS3, "NSS_Init")
Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, FireFoxDecryptor.cs Reference to suspicious API methods: HeavensGate.GetProcAddress64(num, "VirtualProtectEx")
Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, FireFoxDecryptor.cs Reference to suspicious API methods: HeavensGate.GetProcAddress64(num, "WriteProcessMemory")
Source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, HeavensGateProcessor.cs Reference to suspicious API methods: NativeMethods.ReadProcessMemory(lpTargetHandle, (uint)processParameters, intPtr, (uint)Marshal.SizeOf(typeof(ulong)), ref lpNumberOfBytesRead)
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000 Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 432000 Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 74F008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 432000
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C7E008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "WareHouse" /tr "C:\Users\user\AppData\Roaming\WareHouse.exe " /sc minute /mo 6 /f Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID
Queries the product ID of Windows
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Mu7iyblZk8.exe Queries volume information: C:\Users\user\Desktop\Mu7iyblZk8.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WareHouse.exe Queries volume information: C:\Users\user\AppData\Roaming\WareHouse.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC_config_file
Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectronCash_config_file
Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Jaxx LibertyAaiaifbiceejhhkfbjdgonjgljkpcdhch
Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC_config_file
Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Exodus_directory
Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Ethereum_directory
Source: Mu7iyblZk8.exe, 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Mu7iyblZk8.exe.12c89ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3813836224.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3816380121.0000000002814000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3816272759.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1404853569.0000000012C88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Mu7iyblZk8.exe PID: 7560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7732, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1272, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483418 Sample: Mu7iyblZk8.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 50 ipinfo.io 2->50 52 investdirectinsurance.com 2->52 54 2 other IPs or domains 2->54 68 Multi AV Scanner detection for submitted file 2->68 70 .NET source code contains potential unpacker 2->70 72 .NET source code references suspicious native API functions 2->72 74 2 other signatures 2->74 9 Mu7iyblZk8.exe 17 2->9         started        14 WareHouse.exe 2->14         started        signatures3 process4 dnsIp5 56 investdirectinsurance.com 104.21.65.79, 443, 49706, 49707 CLOUDFLARENETUS United States 9->56 40 C:\Users\user\AppData\Roaming\WareHouse.exe, PE32 9->40 dropped 42 C:\Users\...\WareHouse.exe:Zone.Identifier, ASCII 9->42 dropped 44 C:\Users\user\AppData\...\Mu7iyblZk8.exe.log, CSV 9->44 dropped 76 Found many strings related to Crypto-Wallets (likely being stolen) 9->76 78 Writes to foreign memory regions 9->78 80 Allocates memory in foreign processes 9->80 16 MSBuild.exe 15 5 9->16         started        20 cmd.exe 1 9->20         started        82 Multi AV Scanner detection for dropped file 14->82 84 Injects a PE file into a foreign processes 14->84 22 MSBuild.exe 14->22         started        file6 signatures7 process8 dnsIp9 46 ipinfo.io 34.117.59.81, 443, 49708, 49712 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 16->46 48 45.94.31.188, 1237, 49709, 49713 GBTCLOUDUS Netherlands 16->48 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->58 60 Tries to steal Mail credentials (via file / registry access) 16->60 62 Switches to a custom stack to bypass stack traces 16->62 24 WMIC.exe 1 16->24         started        26 conhost.exe 16->26         started        64 Uses schtasks.exe or at.exe to add and modify task schedules 20->64 28 conhost.exe 20->28         started        30 schtasks.exe 1 20->30         started        66 Tries to harvest and steal browser information (history, passwords, etc) 22->66 32 WMIC.exe 22->32         started        34 conhost.exe 22->34         started        signatures10 process11 process12 36 conhost.exe 24->36         started        38 conhost.exe 32->38         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG true
104.21.65.79
 investdirectinsurance.com United States
13335 CLOUDFLARENETUS false
45.94.31.188
 unknown Netherlands
395800 GBTCLOUDUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.59.81 true
investdirectinsurance.com 104.21.65.79 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://investdirectinsurance.com/assuence/litesolidCha/Miox.bd false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://ipinfo.io/json true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown