Loading ...

Play interactive tourEdit tour

Analysis Report MV YICHUNpdf.exe

Overview

General Information

Sample Name:MV YICHUNpdf.exe
MD5:a78afbe349cd1ccc22b8868e95e8b2ac
SHA1:a6fee96f2ba8275285f2867c6165df8a76672f28
SHA256:06bee58a2c778e9fe0110f856a5045d6369e81b131d834468d49390307e208e5

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • MV YICHUNpdf.exe (PID: 5536 cmdline: 'C:\Users\user\Desktop\MV YICHUNpdf.exe' MD5: A78AFBE349CD1CCC22B8868E95E8B2AC)
    • schtasks.exe (PID: 5796 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MV YICHUNpdf.exe (PID: 5840 cmdline: {path} MD5: A78AFBE349CD1CCC22B8868E95E8B2AC)
      • netsh.exe (PID: 6048 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "ZRnaLjFQUJxLD2", "URL: ": "https://iPxzzyEoZCzzl4deBph.com", "To: ": "info@eltaef.com", "ByHost: ": "secure231.servconfig.com:5878", "Password: ": "2cgjaCveTDEEVzT", "From: ": "info@eltaef.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.505928890.00000000036EF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.882138207.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: MV YICHUNpdf.exe PID: 5536JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: MV YICHUNpdf.exe PID: 5840JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.MV YICHUNpdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\MV YICHUNpdf.exe, ParentProcessId: 5840, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6048
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\MV YICHUNpdf.exe' , ParentImage: C:\Users\user\Desktop\MV YICHUNpdf.exe, ParentProcessId: 5536, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp', ProcessId: 5796

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: MV YICHUNpdf.exe.5840.6.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "ZRnaLjFQUJxLD2", "URL: ": "https://iPxzzyEoZCzzl4deBph.com", "To: ": "info@eltaef.com", "ByHost: ": "secure231.servconfig.com:5878", "Password: ": "2cgjaCveTDEEVzT", "From: ": "info@eltaef.com"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\iSAQAWDHKfK.exeVirustotal: Detection: 19%Perma Link
              Source: C:\Users\user\AppData\Roaming\iSAQAWDHKfK.exeReversingLabs: Detection: 25%
              Multi AV Scanner detection for submitted fileShow sources
              Source: MV YICHUNpdf.exeVirustotal: Detection: 19%Perma Link
              Source: MV YICHUNpdf.exeReversingLabs: Detection: 25%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\iSAQAWDHKfK.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: MV YICHUNpdf.exeJoe Sandbox ML: detected
              Source: 6.2.MV YICHUNpdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: global trafficTCP traffic: 192.168.2.6:49718 -> 198.46.81.61:587
              Source: global trafficTCP traffic: 192.168.2.6:49718 -> 198.46.81.61:587
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: :["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java-bean","application/x-java-bean;jpi-version=1.7.0_05","application/x-java-bean;version=1.1","application/x-java-bean;version=1.1.1","application/x-java-bean;version=1.1.2","application/x-java-bean;version=1.1.3","application/x-java-bean;version=1.2","application/x-java-bean;version=1.2.1","application/x-java-bean;version=1.2.2","application/x-java-bean;version=1.3","application/x-java-bean;version=1.3.1","application/x-java-bean;version=1.4","application/x-java-bean;version=1.4.1","application/x-java-bean;version=1.4.2","application/x-java-bean;version=1.5","application/
              Source: unknownDNS traffic detected: queries for: secure231.servconfig.com
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmp, MV YICHUNpdf.exe, 00000001.00000003.469038941.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: MV YICHUNpdf.exe, 00000001.00000002.502614724.0000000002550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: MV YICHUNpdf.exe, 00000006.00000002.886373775.0000000002CCA000.00000004.00000001.sdmpString found in binary or memory: http://secure231.servconfig.com
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: MV YICHUNpdf.exe, 00000001.00000003.479306250.000000000559E000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/type
              Source: MV YICHUNpdf.exe, 00000001.00000003.478651401.000000000559E000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlc
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: MV YICHUNpdf.exe, 00000001.00000003.468278642.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comWa
              Source: MV YICHUNpdf.exe, 00000001.00000003.468408381.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comd
              Source: MV YICHUNpdf.exe, 00000001.00000003.468408381.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comopo
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: MV YICHUNpdf.exe, 00000001.00000003.470895286.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
              Source: MV YICHUNpdf.exe, 00000001.00000003.470848668.0000000005570000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntr
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: MV YICHUNpdf.exe, 00000001.00000003.475680047.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: MV YICHUNpdf.exe, 00000001.00000003.474990704.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
              Source: MV YICHUNpdf.exe, 00000001.00000003.475680047.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?G
              Source: MV YICHUNpdf.exe, 00000001.00000003.474643524.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/JGiS
              Source: MV YICHUNpdf.exe, 00000001.00000003.475680047.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
              Source: MV YICHUNpdf.exe, 00000001.00000003.476060882.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
              Source: MV YICHUNpdf.exe, 00000001.00000003.476060882.0000000005566000.00000004.00000001.sdmp, MV YICHUNpdf.exe, 00000001.00000003.474990704.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: MV YICHUNpdf.exe, 00000001.00000003.474990704.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/pG
              Source: MV YICHUNpdf.exe, 00000001.00000003.476060882.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ki:
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmp, MV YICHUNpdf.exe, 00000001.00000003.467661254.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: MV YICHUNpdf.exe, 00000001.00000003.470453694.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krX
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmp, MV YICHUNpdf.exe, 00000001.00000003.471430588.000000000556B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: MV YICHUNpdf.exe, 00000006.00000002.886373775.0000000002CCA000.00000004.00000001.sdmp, MV YICHUNpdf.exe, 00000006.00000002.886581172.0000000002D3D000.00000004.00000001.sdmpString found in binary or memory: https://iPxzzyEoZCzzl4deBph.com
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: https://iPxzzyEoZCzzl4deBph.comtR
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

              Source: MV YICHUNpdf.exe, 00000001.00000002.501381120.00000000008B0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_002854E51_2_002854E5
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_002874CC1_2_002874CC
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_0241C1541_2_0241C154
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_0241E5881_2_0241E588
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_0241E5981_2_0241E598
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_005174CC6_2_005174CC
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_005154E56_2_005154E5
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD10606_2_00CD1060
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD59606_2_00CD5960
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD84806_2_00CD8480
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD04486_2_00CD0448
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD2C686_2_00CD2C68
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD15606_2_00CD1560
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD7E4A6_2_00CD7E4A
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD07906_2_00CD0790
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD48CB6_2_00CD48CB
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD40E66_2_00CD40E6
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD48836_2_00CD4883
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CDD8586_2_00CDD858
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD2C686_2_00CD2C68
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD483B6_2_00CD483B
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD41CB6_2_00CD41CB
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD49E86_2_00CD49E8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD49A06_2_00CD49A0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD49586_2_00CD4958
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD41706_2_00CD4170
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD412B6_2_00CD412B
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4AC06_2_00CD4AC0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD42DF6_2_00CD42DF
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD429A6_2_00CD429A
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD42556_2_00CD4255
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4A786_2_00CD4A78
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD42106_2_00CD4210
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4A306_2_00CD4A30
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4BDD6_2_00CD4BDD
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD43F96_2_00CD43F9
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4B956_2_00CD4B95
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD43B16_2_00CD43B1
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD43696_2_00CD4369
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4B086_2_00CD4B08
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD44CE6_2_00CD44CE
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD44866_2_00CD4486
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD3C986_2_00CD3C98
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4C256_2_00CD4C25
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD45E86_2_00CD45E8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD455B6_2_00CD455B
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD15516_2_00CD1551
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD46786_2_00CD4678
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD46306_2_00CD4630
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD47DD6_2_00CD47DD
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD47956_2_00CD4795
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD474D6_2_00CD474D
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD47056_2_00CD4705
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050715606_2_05071560
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050744206_2_05074420
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050711A86_2_050711A8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050750E86_2_050750E8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050788386_2_05078838
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050755106_2_05075510
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050715506_2_05071550
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050711A66_2_050711A6
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050743306_2_05074330
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05078C376_2_05078C37
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05078CAB6_2_05078CAB
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05078FC76_2_05078FC7
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050788296_2_05078829
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC0DA86_2_05EC0DA8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC95A06_2_05EC95A0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC81B06_2_05EC81B0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05ECD9306_2_05ECD930
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC70FA6_2_05EC70FA
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC14C06_2_05EC14C0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC18A86_2_05EC18A8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC6FD06_2_05EC6FD0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC37506_2_05EC3750
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC12B06_2_05EC12B0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC81A26_2_05EC81A2
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05ECA5886_2_05ECA588
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC0D986_2_05EC0D98
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC95906_2_05EC9590
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC29786_2_05EC2978
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC70E56_2_05EC70E5
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC44CD6_2_05EC44CD
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC14B06_2_05EC14B0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC5C8A6_2_05EC5C8A
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC00406_2_05EC0040
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC78516_2_05EC7851
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC74236_2_05EC7423
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC6FC06_2_05EC6FC0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC47DC6_2_05EC47DC
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC47AD6_2_05EC47AD
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC43A06_2_05EC43A0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC5B886_2_05EC5B88
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC43926_2_05EC4392
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC87606_2_05EC8760
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC874F6_2_05EC874F
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC37406_2_05EC3740
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC7B206_2_05EC7B20
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC2B1C6_2_05EC2B1C
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC8A686_2_05EC8A68
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC8A786_2_05EC8A78
              Source: MV YICHUNpdf.exeBinary or memory string: OriginalFilename vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.502614724.0000000002550000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClockCounter.dll: vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.502614724.0000000002550000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyxGXJhwnmjYzxFxbFKVdblW.exe4 vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.501381120.00000000008B0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.517838617.0000000008B60000.00000002.00000001.sdmpBinary or memory string: originalfilename vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.517838617.0000000008B60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.505928890.00000000036EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepeview.exe> vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.517470094.0000000008A70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exeBinary or memory string: OriginalFilename vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.890797775.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.883343191.0000000000CFA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.882234779.000000000044E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyxGXJhwnmjYzxFxbFKVdblW.exe4 vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.884894392.0000000002A60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.882491972.0000000000937000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.890765343.0000000005ED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exeBinary or memory string: OriginalFilenameClockCounter.dll: vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exeBinary or memory string: OriginalFilenameyauYsGlKtSPlGcTBCnh.exe8 vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: iSAQAWDHKfK.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: MV YICHUNpdf.exe, 00000001.00000003.470236286.000000000557B000.00000004.00000001.sdmpBinary or memory string: un Gothic is a trademark of the Microsoft group of companies.slnt
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/7@1/1
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile created: C:\Users\user\AppData\Roaming\iSAQAWDHKfK.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_01
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3483.tmpJump to behavior
              Source: MV YICHUNpdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: MV YICHUNpdf.exeVirustotal: Detection: 19%
              Source: MV YICHUNpdf.exeReversingLabs: Detection: 25%
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile read: C:\Users\user\Desktop\MV YICHUNpdf.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\MV YICHUNpdf.exe 'C:\Users\user\Desktop\MV YICHUNpdf.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\MV YICHUNpdf.exe {path}
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Users\user\Desktop\MV YICHUNpdf.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: MV YICHUNpdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: MV YICHUNpdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_08F42D55 push FFFFFF8Bh; iretd 1_2_08F42D57
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CDD5FE push esp; iretd 6_2_00CDD609
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CDD51A push esp; iretd 6_2_00CDD525
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05ECE0DC push 8B000003h; iretd 6_2_05ECE0E4
              Source: initial sampleStatic PE information: section name: .text entropy: 7.85172574205
              Source: initial sampleStatic PE information: section name: .text entropy: 7.85172574205

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile created: C:\Users\user\AppData\Roaming\iSAQAWDHKfK.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp'

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWindow / User API: threadDelayed 961Jump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5540Thread sleep time: -33000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5648Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5964Thread sleep count: 961 > 30Jump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -59594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -79500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -52812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -52594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -78141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -47406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -46782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -44782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -44282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -44094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -42970s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -42282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -41594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -38188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -36876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -35970s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -34876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -34188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -33970s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -33282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -32594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -57906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -55906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -54094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -44594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeLast function: Thread delayed
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD3DAE LdrInitializeThunk,6_2_00CD3DAE
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeMemory allocated: page read and write | page guardJump to behavior

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Users\user\Desktop\MV YICHUNpdf.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: MV YICHUNpdf.exe, 00000006.00000002.884142246.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: MV YICHUNpdf.exe, 00000006.00000002.884142246.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: MV YICHUNpdf.exe, 00000006.00000002.884142246.00000000014E0000.00000002.00000001.sdmpBinary or memory string: RProgram Managerm
              Source: MV YICHUNpdf.exe, 00000006.00000002.884142246.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Users\user\Desktop\MV YICHUNpdf.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation