Loading ...

Play interactive tourEdit tour

Analysis Report MV YICHUNpdf.exe

Overview

General Information

Sample Name:MV YICHUNpdf.exe
MD5:a78afbe349cd1ccc22b8868e95e8b2ac
SHA1:a6fee96f2ba8275285f2867c6165df8a76672f28
SHA256:06bee58a2c778e9fe0110f856a5045d6369e81b131d834468d49390307e208e5

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • MV YICHUNpdf.exe (PID: 5536 cmdline: 'C:\Users\user\Desktop\MV YICHUNpdf.exe' MD5: A78AFBE349CD1CCC22B8868E95E8B2AC)
    • schtasks.exe (PID: 5796 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MV YICHUNpdf.exe (PID: 5840 cmdline: {path} MD5: A78AFBE349CD1CCC22B8868E95E8B2AC)
      • netsh.exe (PID: 6048 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "ZRnaLjFQUJxLD2", "URL: ": "https://iPxzzyEoZCzzl4deBph.com", "To: ": "info@eltaef.com", "ByHost: ": "secure231.servconfig.com:5878", "Password: ": "2cgjaCveTDEEVzT", "From: ": "info@eltaef.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.505928890.00000000036EF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.882138207.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: MV YICHUNpdf.exe PID: 5536JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: MV YICHUNpdf.exe PID: 5840JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.MV YICHUNpdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\MV YICHUNpdf.exe, ParentProcessId: 5840, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6048
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\MV YICHUNpdf.exe' , ParentImage: C:\Users\user\Desktop\MV YICHUNpdf.exe, ParentProcessId: 5536, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp', ProcessId: 5796

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: MV YICHUNpdf.exe.5840.6.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "ZRnaLjFQUJxLD2", "URL: ": "https://iPxzzyEoZCzzl4deBph.com", "To: ": "info@eltaef.com", "ByHost: ": "secure231.servconfig.com:5878", "Password: ": "2cgjaCveTDEEVzT", "From: ": "info@eltaef.com"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\iSAQAWDHKfK.exeVirustotal: Detection: 19%Perma Link
              Source: C:\Users\user\AppData\Roaming\iSAQAWDHKfK.exeReversingLabs: Detection: 25%
              Multi AV Scanner detection for submitted fileShow sources
              Source: MV YICHUNpdf.exeVirustotal: Detection: 19%Perma Link
              Source: MV YICHUNpdf.exeReversingLabs: Detection: 25%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\iSAQAWDHKfK.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: MV YICHUNpdf.exeJoe Sandbox ML: detected
              Source: 6.2.MV YICHUNpdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: global trafficTCP traffic: 192.168.2.6:49718 -> 198.46.81.61:587
              Source: global trafficTCP traffic: 192.168.2.6:49718 -> 198.46.81.61:587
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: :["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java-bean","application/x-java-bean;jpi-version=1.7.0_05","application/x-java-bean;version=1.1","application/x-java-bean;version=1.1.1","application/x-java-bean;version=1.1.2","application/x-java-bean;version=1.1.3","application/x-java-bean;version=1.2","application/x-java-bean;version=1.2.1","application/x-java-bean;version=1.2.2","application/x-java-bean;version=1.3","application/x-java-bean;version=1.3.1","application/x-java-bean;version=1.4","application/x-java-bean;version=1.4.1","application/x-java-bean;version=1.4.2","application/x-java-bean;version=1.5","application/
              Source: unknownDNS traffic detected: queries for: secure231.servconfig.com
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmp, MV YICHUNpdf.exe, 00000001.00000003.469038941.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: MV YICHUNpdf.exe, 00000001.00000002.502614724.0000000002550000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: MV YICHUNpdf.exe, 00000006.00000002.886373775.0000000002CCA000.00000004.00000001.sdmpString found in binary or memory: http://secure231.servconfig.com
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: MV YICHUNpdf.exe, 00000001.00000003.479306250.000000000559E000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/type
              Source: MV YICHUNpdf.exe, 00000001.00000003.478651401.000000000559E000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlc
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: MV YICHUNpdf.exe, 00000001.00000003.468278642.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comWa
              Source: MV YICHUNpdf.exe, 00000001.00000003.468408381.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comd
              Source: MV YICHUNpdf.exe, 00000001.00000003.468408381.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comopo
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: MV YICHUNpdf.exe, 00000001.00000003.470895286.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
              Source: MV YICHUNpdf.exe, 00000001.00000003.470848668.0000000005570000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntr
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: MV YICHUNpdf.exe, 00000001.00000003.475680047.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: MV YICHUNpdf.exe, 00000001.00000003.474990704.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
              Source: MV YICHUNpdf.exe, 00000001.00000003.475680047.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?G
              Source: MV YICHUNpdf.exe, 00000001.00000003.474643524.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/JGiS
              Source: MV YICHUNpdf.exe, 00000001.00000003.475680047.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
              Source: MV YICHUNpdf.exe, 00000001.00000003.476060882.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
              Source: MV YICHUNpdf.exe, 00000001.00000003.476060882.0000000005566000.00000004.00000001.sdmp, MV YICHUNpdf.exe, 00000001.00000003.474990704.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: MV YICHUNpdf.exe, 00000001.00000003.474990704.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/pG
              Source: MV YICHUNpdf.exe, 00000001.00000003.476060882.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ki:
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmp, MV YICHUNpdf.exe, 00000001.00000003.467661254.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: MV YICHUNpdf.exe, 00000001.00000003.470453694.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krX
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmp, MV YICHUNpdf.exe, 00000001.00000003.471430588.000000000556B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: MV YICHUNpdf.exe, 00000001.00000002.515811809.0000000006772000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: MV YICHUNpdf.exe, 00000006.00000002.886373775.0000000002CCA000.00000004.00000001.sdmp, MV YICHUNpdf.exe, 00000006.00000002.886581172.0000000002D3D000.00000004.00000001.sdmpString found in binary or memory: https://iPxzzyEoZCzzl4deBph.com
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: https://iPxzzyEoZCzzl4deBph.comtR
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
              Source: MV YICHUNpdf.exe, 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

              Source: MV YICHUNpdf.exe, 00000001.00000002.501381120.00000000008B0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_002854E5
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_002874CC
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_0241C154
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_0241E588
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_0241E598
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_005174CC
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_005154E5
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD1060
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD5960
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD8480
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD0448
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD2C68
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD1560
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD7E4A
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD0790
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD48CB
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD40E6
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4883
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CDD858
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD2C68
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD483B
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD41CB
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD49E8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD49A0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4958
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4170
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD412B
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4AC0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD42DF
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD429A
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4255
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4A78
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4210
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4A30
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4BDD
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD43F9
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4B95
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD43B1
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4369
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4B08
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD44CE
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4486
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD3C98
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4C25
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD45E8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD455B
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD1551
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4678
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4630
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD47DD
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4795
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD474D
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD4705
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05071560
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05074420
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050711A8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050750E8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05078838
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05075510
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05071550
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_050711A6
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05074330
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05078C37
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05078CAB
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05078FC7
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05078829
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC0DA8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC95A0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC81B0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05ECD930
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC70FA
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC14C0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC18A8
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC6FD0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC3750
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC12B0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC81A2
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05ECA588
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC0D98
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC9590
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC2978
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC70E5
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC44CD
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC14B0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC5C8A
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC0040
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC7851
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC7423
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC6FC0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC47DC
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC47AD
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC43A0
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC5B88
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC4392
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC8760
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC874F
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC3740
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC7B20
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC2B1C
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC8A68
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05EC8A78
              Source: MV YICHUNpdf.exeBinary or memory string: OriginalFilename vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.502614724.0000000002550000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClockCounter.dll: vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.502614724.0000000002550000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyxGXJhwnmjYzxFxbFKVdblW.exe4 vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.501381120.00000000008B0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.517838617.0000000008B60000.00000002.00000001.sdmpBinary or memory string: originalfilename vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.517838617.0000000008B60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.505928890.00000000036EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepeview.exe> vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000001.00000002.517470094.0000000008A70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exeBinary or memory string: OriginalFilename vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.890797775.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.883343191.0000000000CFA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.882234779.000000000044E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyxGXJhwnmjYzxFxbFKVdblW.exe4 vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.884894392.0000000002A60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.882491972.0000000000937000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exe, 00000006.00000002.890765343.0000000005ED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exeBinary or memory string: OriginalFilenameClockCounter.dll: vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exeBinary or memory string: OriginalFilenameyauYsGlKtSPlGcTBCnh.exe8 vs MV YICHUNpdf.exe
              Source: MV YICHUNpdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: iSAQAWDHKfK.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: MV YICHUNpdf.exe, 00000001.00000003.470236286.000000000557B000.00000004.00000001.sdmpBinary or memory string: un Gothic is a trademark of the Microsoft group of companies.slnt
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/7@1/1
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile created: C:\Users\user\AppData\Roaming\iSAQAWDHKfK.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_01
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3483.tmpJump to behavior
              Source: MV YICHUNpdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: MV YICHUNpdf.exeVirustotal: Detection: 19%
              Source: MV YICHUNpdf.exeReversingLabs: Detection: 25%
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile read: C:\Users\user\Desktop\MV YICHUNpdf.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\MV YICHUNpdf.exe 'C:\Users\user\Desktop\MV YICHUNpdf.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\MV YICHUNpdf.exe {path}
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp'
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Users\user\Desktop\MV YICHUNpdf.exe {path}
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: MV YICHUNpdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: MV YICHUNpdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 1_2_08F42D55 push FFFFFF8Bh; iretd
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CDD5FE push esp; iretd
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CDD51A push esp; iretd
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_05ECE0DC push 8B000003h; iretd
              Source: initial sampleStatic PE information: section name: .text entropy: 7.85172574205
              Source: initial sampleStatic PE information: section name: .text entropy: 7.85172574205

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile created: C:\Users\user\AppData\Roaming\iSAQAWDHKfK.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp'

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWindow / User API: threadDelayed 961
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5540Thread sleep time: -33000s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5648Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5964Thread sleep count: 961 > 30
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -60000s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -59594s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -79500s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -52812s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -52594s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -78141s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -47406s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -46782s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -44782s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -44282s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -44094s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -42970s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -42282s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -41594s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -38188s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -36876s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -35970s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -34876s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -34188s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -33970s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -33282s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -32594s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -57906s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -55906s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -54094s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exe TID: 5960Thread sleep time: -44594s >= -30000s
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeLast function: Thread delayed
              Source: MV YICHUNpdf.exe, 00000006.00000002.891494348.0000000006040000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess information queried: ProcessInformation

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD3DAE LdrInitializeThunk,
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeMemory allocated: page read and write | page guard

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iSAQAWDHKfK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3483.tmp'
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Users\user\Desktop\MV YICHUNpdf.exe {path}
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: MV YICHUNpdf.exe, 00000006.00000002.884142246.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: MV YICHUNpdf.exe, 00000006.00000002.884142246.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: MV YICHUNpdf.exe, 00000006.00000002.884142246.00000000014E0000.00000002.00000001.sdmpBinary or memory string: RProgram Managerm
              Source: MV YICHUNpdf.exe, 00000006.00000002.884142246.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Users\user\Desktop\MV YICHUNpdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Users\user\Desktop\MV YICHUNpdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeCode function: 6_2_00CD1FF8 GetUserNameW,
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Uses netsh to modify the Windows network and firewall settingsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.505928890.00000000036EF000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.882138207.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MV YICHUNpdf.exe PID: 5536, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MV YICHUNpdf.exe PID: 5840, type: MEMORY
              Source: Yara matchFile source: 6.2.MV YICHUNpdf.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal WLAN passwordsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\cookies.sqlite
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\Desktop\MV YICHUNpdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Yara matchFile source: Process Memory Space: MV YICHUNpdf.exe PID: 5840, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000006.00000002.884972403.0000000002A90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.505928890.00000000036EF000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.882138207.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MV YICHUNpdf.exe PID: 5536, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MV YICHUNpdf.exe PID: 5840, type: MEMORY
              Source: Yara matchFile source: 6.2.MV YICHUNpdf.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Scheduled Task1Process Injection12Software Packing3Credential Dumping2Account Discovery1Application Deployment SoftwareData from Local System2Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaScheduled Task1Port MonitorsScheduled Task1Disabling Security Tools11Input Capture1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Credentials in Registry1File and Directory Discovery1Windows Remote ManagementInput Capture1Automated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesSystem Information Discovery114Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion13Account ManipulationVirtualization/Sandbox Evasion13Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device Communication