Loading ...

Play interactive tourEdit tour

Analysis Report FedEx delivery form.exe

Overview

General Information

Sample Name:FedEx delivery form.exe
Analysis ID:299675
MD5:67c078e36be82dc655ee54c076b4e1ca
SHA1:bc54afc08c3e612134bcc9ef0dbed97ef6a0fe58
SHA256:6d3f0ca9deedbcfa8eec86ba0907881c02c986e8535b56a59b870dd8a6cafa0e
Tags:AgentTeslaexeFedEx

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • FedEx delivery form.exe (PID: 6772 cmdline: 'C:\Users\user\Desktop\FedEx delivery form.exe' MD5: 67C078E36BE82DC655EE54C076B4E1CA)
    • schtasks.exe (PID: 7020 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmpC3B9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • FedEx delivery form.exe (PID: 7012 cmdline: {path} MD5: 67C078E36BE82DC655EE54C076B4E1CA)
      • reg.exe (PID: 1004 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 4684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • WCPCe.exe (PID: 6916 cmdline: 'C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe' MD5: 67C078E36BE82DC655EE54C076B4E1CA)
    • schtasks.exe (PID: 5048 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmp987E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WCPCe.exe (PID: 3496 cmdline: {path} MD5: 67C078E36BE82DC655EE54C076B4E1CA)
  • WCPCe.exe (PID: 6704 cmdline: 'C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe' MD5: 67C078E36BE82DC655EE54C076B4E1CA)
    • schtasks.exe (PID: 5540 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB4EF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WCPCe.exe (PID: 5532 cmdline: {path} MD5: 67C078E36BE82DC655EE54C076B4E1CA)
    • WCPCe.exe (PID: 5624 cmdline: {path} MD5: 67C078E36BE82DC655EE54C076B4E1CA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "Y9EcurR0jhLs", "URL: ": "https://jJnHScB6tQ8.org", "To: ": "ugoblaq@ritac-eg.com", "ByHost: ": "smtp.ritac-eg.com:587", "Password: ": "rgumpNwhW", "From: ": "ugoblaq@ritac-eg.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.921921241.0000000002CF1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000002.815743334.0000000004253000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.915197604.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000016.00000002.922301062.0000000002D90000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.WCPCe.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.FedEx delivery form.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                22.2.WCPCe.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmpC3B9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmpC3B9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\FedEx delivery form.exe' , ParentImage: C:\Users\user\Desktop\FedEx delivery form.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmpC3B9.tmp', ProcessId: 7020

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: WCPCe.exe.5624.22.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "Y9EcurR0jhLs", "URL: ": "https://jJnHScB6tQ8.org", "To: ": "ugoblaq@ritac-eg.com", "ByHost: ": "smtp.ritac-eg.com:587", "Password: ": "rgumpNwhW", "From: ": "ugoblaq@ritac-eg.com"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeReversingLabs: Detection: 20%
                  Source: C:\Users\user\AppData\Roaming\nPErTQzbiJwg.exeReversingLabs: Detection: 20%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: FedEx delivery form.exeReversingLabs: Detection: 20%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\nPErTQzbiJwg.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: FedEx delivery form.exeJoe Sandbox ML: detected
                  Source: 5.2.FedEx delivery form.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 18.2.WCPCe.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 22.2.WCPCe.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49762 -> 208.91.199.225:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49763 -> 208.91.199.224:587
                  Source: global trafficTCP traffic: 192.168.2.4:49762 -> 208.91.199.225:587
                  Source: global trafficTCP traffic: 192.168.2.4:49763 -> 208.91.199.224:587
                  Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                  Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                  Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                  Source: global trafficTCP traffic: 192.168.2.4:49762 -> 208.91.199.225:587
                  Source: global trafficTCP traffic: 192.168.2.4:49763 -> 208.91.199.224:587
                  Source: unknownDNS traffic detected: queries for: smtp.ritac-eg.com
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915197604.0000000000402000.00000040.00000001.sdmp, WCPCe.exe, 0000000E.00000002.795057080.0000000004223000.00000004.00000001.sdmp, WCPCe.exe, 0000000F.00000002.815743334.0000000004253000.00000004.00000001.sdmp, WCPCe.exe, 00000012.00000002.839332878.0000000000402000.00000040.00000001.sdmp, WCPCe.exe, 00000016.00000002.915232656.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://127.0.0.1:
                  Source: FedEx delivery form.exe, 00000000.00000002.672564881.0000000003451000.00000004.00000001.sdmp, WCPCe.exe, 0000000E.00000002.788713083.0000000002F81000.00000004.00000001.sdmp, WCPCe.exe, 0000000F.00000002.809100822.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: FedEx delivery form.exe, 00000005.00000002.922334938.0000000003390000.00000004.00000001.sdmp, WCPCe.exe, 00000016.00000002.923337674.0000000002F56000.00000004.00000001.sdmpString found in binary or memory: http://smtp.ritac-eg.com
                  Source: WCPCe.exeString found in binary or memory: http://tempuri.org/supermartDataSet.xsd
                  Source: FedEx delivery form.exeString found in binary or memory: http://tempuri.org/supermartDataSet.xsdQhttp://tempuri.org/supermartDataSet2.xsd
                  Source: WCPCe.exeString found in binary or memory: http://tempuri.org/supermartDataSet1.xsd
                  Source: FedEx delivery form.exeString found in binary or memory: http://tempuri.org/supermartDataSet1.xsdYSELECT
                  Source: WCPCe.exeString found in binary or memory: http://tempuri.org/supermartDataSet2.xsd
                  Source: FedEx delivery form.exe, 00000005.00000002.922334938.0000000003390000.00000004.00000001.sdmp, WCPCe.exe, 00000016.00000002.923337674.0000000002F56000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915197604.0000000000402000.00000040.00000001.sdmp, WCPCe.exe, 0000000E.00000002.795057080.0000000004223000.00000004.00000001.sdmp, WCPCe.exe, 0000000F.00000002.815743334.0000000004253000.00000004.00000001.sdmp, WCPCe.exe, 00000012.00000002.839332878.0000000000402000.00000040.00000001.sdmp, WCPCe.exe, 00000016.00000002.915232656.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                  Source: FedEx delivery form.exe, 00000005.00000002.921085705.0000000003289000.00000004.00000001.sdmp, WCPCe.exe, 00000016.00000002.922662765.0000000002E4F000.00000004.00000001.sdmpString found in binary or memory: https://jJnHScB6tQ8.or
                  Source: WCPCe.exe, 00000016.00000002.921921241.0000000002CF1000.00000004.00000001.sdmp, WCPCe.exe, 00000016.00000002.922662765.0000000002E4F000.00000004.00000001.sdmpString found in binary or memory: https://jJnHScB6tQ8.org
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915197604.0000000000402000.00000040.00000001.sdmp, WCPCe.exe, 0000000E.00000002.795057080.0000000004223000.00000004.00000001.sdmp, WCPCe.exe, 0000000F.00000002.815743334.0000000004253000.00000004.00000001.sdmp, WCPCe.exe, 00000012.00000002.839332878.0000000000402000.00000040.00000001.sdmp, WCPCe.exe, 00000016.00000002.915232656.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915197604.0000000000402000.00000040.00000001.sdmp, WCPCe.exe, 0000000E.00000002.795057080.0000000004223000.00000004.00000001.sdmp, WCPCe.exe, 0000000F.00000002.815743334.0000000004253000.00000004.00000001.sdmp, WCPCe.exe, 00000012.00000002.839332878.0000000000402000.00000040.00000001.sdmp, WCPCe.exe, 00000016.00000002.915232656.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U

                  Spam, unwanted Advertisements and Ransom Demands:

                  barindex
                  Modifies the hosts fileShow sources
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  System Summary:

                  barindex
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 0_2_00DBA9ED0_2_00DBA9ED
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 0_2_00DB9AB80_2_00DB9AB8
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 0_2_0172EAD80_2_0172EAD8
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 0_2_0586A53C0_2_0586A53C
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 0_2_0586D14A0_2_0586D14A
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 0_2_0586D1580_2_0586D158
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_00D3A9ED5_2_00D3A9ED
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_00D39AB85_2_00D39AB8
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0177A2805_2_0177A280
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0177A5C85_2_0177A5C8
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0177CE585_2_0177CE58
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0177AE985_2_0177AE98
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_017714085_2_01771408
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059D87345_2_059D8734
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059DCD805_2_059DCD80
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059D4C305_2_059D4C30
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059D48D85_2_059D48D8
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059D8BF05_2_059D8BF0
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059D7B205_2_059D7B20
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059D87285_2_059D8728
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059DC3085_2_059DC308
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059DC37C5_2_059DC37C
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059DCD715_2_059DCD71
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059D4C215_2_059D4C21
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059DBF205_2_059DBF20
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059D48C95_2_059D48C9
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_059D7AB25_2_059D7AB2
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_06915BA85_2_06915BA8
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_069130505_2_06913050
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_069146B05_2_069146B0
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_069146A05_2_069146A0
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0691177C5_2_0691177C
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_069117635_2_06911763
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_06910CD75_2_06910CD7
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_069165505_2_06916550
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_069142BD5_2_069142BD
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_06915B9B5_2_06915B9B
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_06913BB95_2_06913BB9
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_06913BC85_2_06913BC8
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_06910B285_2_06910B28
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_069130415_2_06913041
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_069111595_2_06911159
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_069111685_2_06911168
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 14_2_00A39AB814_2_00A39AB8
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 14_2_00A3A9ED14_2_00A3A9ED
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 14_2_02E3D65814_2_02E3D658
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 14_2_0C64395814_2_0C643958
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 14_2_0C64032814_2_0C640328
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 14_2_0C6405E914_2_0C6405E9
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 14_2_0C6405F814_2_0C6405F8
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 14_2_0C64004014_2_0C640040
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 14_2_0C64000614_2_0C640006
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 14_2_0C64031814_2_0C640318
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_00A19AB815_2_00A19AB8
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_00A1A9ED15_2_00A1A9ED
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_02F9D65815_2_02F9D658
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_0639A53C15_2_0639A53C
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_0639D15815_2_0639D158
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_0639D14A15_2_0639D14A
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_064F78A215_2_064F78A2
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_064F491815_2_064F4918
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_064F8B5815_2_064F8B58
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_064FEBE015_2_064FEBE0
                  Source: FedEx delivery form.exeBinary or memory string: OriginalFilename vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000000.00000002.672564881.0000000003451000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSQkFoqQzSIlGjtdMNzKxHQAQYBpUXs.exe( vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmpBinary or memory string: OriginalFilename) vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000000.00000002.678702896.000000000C880000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000000.00000002.678895335.000000000C970000.00000002.00000001.sdmpBinary or memory string: originalfilename vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000000.00000002.678895335.000000000C970000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs FedEx delivery form.exe
                  Source: FedEx delivery form.exeBinary or memory string: OriginalFilename vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000005.00000002.916099026.0000000000F97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000005.00000002.926148245.00000000069D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmpBinary or memory string: OriginalFilename) vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000005.00000002.925940336.0000000006960000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000005.00000002.917714428.000000000153A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000005.00000002.915197604.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameSQkFoqQzSIlGjtdMNzKxHQAQYBpUXs.exe( vs FedEx delivery form.exe
                  Source: FedEx delivery form.exe, 00000005.00000002.925344892.00000000063E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs FedEx delivery form.exe
                  Source: FedEx delivery form.exeBinary or memory string: OriginalFilename) vs FedEx delivery form.exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f
                  Source: FedEx delivery form.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: nPErTQzbiJwg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: WCPCe.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@23/9@4/2
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile created: C:\Users\user\AppData\Roaming\nPErTQzbiJwg.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4684:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC3B9.tmpJump to behavior
                  Source: FedEx delivery form.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[purchase] SET [sup_id] = @sup_id, [item_id] = @item_id, [cost_price] = @cost_price, [quantity] = @quantity, [unit] = @unit, [entry_date] = @entry_date, [selling_price] = @selling_price WHERE (([purchase_id] = @Original_purchase_id) AND ([sup_id] = @Original_sup_id) AND ([item_id] = @Original_item_id) AND ([cost_price] = @Original_cost_price) AND ([quantity] = @Original_quantity) AND ([unit] = @Original_unit) AND ([entry_date] = @Original_entry_date) AND ((@IsNull_selling_price = 1 AND [selling_price] IS NULL) OR ([selling_price] = @Original_selling_price)));
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[supplier] SET [sup_address] = @sup_address, [sup_phone] = @sup_phone, [entry_date] = @entry_date, [purchase_id] = @purchase_id WHERE (([sup_id] = @Original_sup_id) AND ((@IsNull_sup_address = 1 AND [sup_address] IS NULL) OR ([sup_address] = @Original_sup_address)) AND ((@IsNull_sup_phone = 1 AND [sup_phone] IS NULL) OR ([sup_phone] = @Original_sup_phone)) AND ([entry_date] = @Original_entry_date) AND ((@IsNull_purchase_id = 1 AND [purchase_id] IS NULL) OR ([purchase_id] = @Original_purchase_id)));
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[supplier] ([sup_address], [sup_phone], [entry_date], [purchase_id]) VALUES (@sup_address, @sup_phone, @entry_date, @purchase_id);
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[sale] SET [cus_id] = @cus_id, [item_id] = @item_id, [quantity] = @quantity, [date] = @date, [total_price] = @total_price, [selling_price] = @selling_price WHERE (([sale_id] = @Original_sale_id) AND ([cus_id] = @Original_cus_id) AND ([item_id] = @Original_item_id) AND ([quantity] = @Original_quantity) AND ([date] = @Original_date) AND ([total_price] = @Original_total_price) AND ((@IsNull_selling_price = 1 AND [selling_price] IS NULL) OR ([selling_price] = @Original_selling_price)));
                  Source: WCPCe.exeBinary or memory string: INSERT INTO [dbo].[item] ([item_name], [quantity], [price], [date]) VALUES (@item_name, @quantity, @price, @date); SELECT item_id,
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[purchase] ([sup_id], [item_id], [cost_price], [quantity], [unit], [entry_date], [selling_price]) VALUES (@sup_id, @item_id, @cost_price, @quantity, @unit, @entry_date, @selling_price);
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[sale] SET [cus_id] = @cus_id, [item_id] = @item_id, [quantity] = @quantity, [selling_price] = @selling_price, [date] = @date WHERE (([sale_id] = @Original_sale_id) AND ([cus_id] = @Original_cus_id) AND ([item_id] = @Original_item_id) AND ([quantity] = @Original_quantity) AND ([selling_price] = @Original_selling_price) AND ([date] = @Original_date));
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[supplier] ([sup_address], [sup_phone], [entry_date], [sup_name]) VALUES (@sup_address, @sup_phone, @entry_date, @sup_name);
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[item] ([item_name], [quantity], [price], [date]) VALUES (@item_name, @quantity, @price, @date);
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[item] SET [item_name] = @item_name, [quantity] = @quantity, [price] = @price, [date] = @date WHERE (([item_id] = @Original_item_id) AND ([item_name] = @Original_item_name) AND ([quantity] = @Original_quantity) AND ([price] = @Original_price) AND ([date] = @Original_date));
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[sale] ([cus_id], [item_id], [quantity], [selling_price], [date]) VALUES (@cus_id, @item_id, @quantity, @selling_price, @date);
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[item] ([item_name], [quantity], [price], [date], [selling_price]) VALUES (@item_name, @quantity, @price, @date, @selling_price);
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[customer] ([cus_name], [cus_phone], [cus_address], [entry_date]) VALUES (@cus_name, @cus_phone, @cus_address, @entry_date);
                  Source: FedEx delivery form.exe, 00000000.00000002.676214736.00000000046F5000.00000004.00000001.sdmp, FedEx delivery form.exe, 00000005.00000002.915668713.0000000000D32000.00000002.00020000.sdmp, WCPCe.exe, 0000000E.00000000.758464442.0000000000A32000.00000002.00020000.sdmp, WCPCe.exe, 0000000F.00000002.806596433.0000000000A12000.00000002.00020000.sdmp, WCPCe.exe, 00000012.00000000.782267141.0000000000992000.00000002.00020000.sdmp, WCPCe.exe, 00000015.00000000.797201449.0000000000312000.00000002.00020000.sdmp, WCPCe.exe, 00000016.00000000.803052428.00000000005B2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[supplier] SET [sup_address] = @sup_address, [sup_phone] = @sup_phone, [entry_date] = @entry_date, [sup_name] = @sup_name WHERE (([sup_id] = @Original_sup_id) AND ((@IsNull_sup_address = 1 AND [sup_address] IS NULL) OR ([sup_address] = @Original_sup_address)) AND ((@IsNull_sup_phone = 1 AND [sup_phone] IS NULL) OR ([sup_phone] = @Original_sup_phone)) AND ([entry_date] = @Original_entry_date) AND ((@IsNull_sup_name = 1 AND [sup_name] IS NULL) OR ([sup_name] = @Original_sup_name)));
                  Source: FedEx delivery form.exeReversingLabs: Detection: 20%
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile read: C:\Users\user\Desktop\FedEx delivery form.exe:Zone.IdentifierJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\FedEx delivery form.exe 'C:\Users\user\Desktop\FedEx delivery form.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmpC3B9.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\Desktop\FedEx delivery form.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe 'C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe 'C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmp987E.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe {path}
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB4EF.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe {path}
                  Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmpC3B9.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess created: C:\Users\user\Desktop\FedEx delivery form.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmp987E.tmp'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess created: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe {path}Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB4EF.tmp'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess created: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe {path}Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess created: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: FedEx delivery form.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: FedEx delivery form.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 0_2_05866390 push esp; ret 0_2_05866391
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0177DB17 push esi; ret 5_2_0177DB1B
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0177DBFC push ebp; ret 5_2_0177DC00
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0177DA9F push edi; ret 5_2_0177DAAC
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0177DC6E push ebp; ret 5_2_0177DC70
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0177DED0 push ecx; ret 5_2_0177DEDC
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_06919736 push es; iretd 5_2_06919738
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_0691974E push es; iretd 5_2_06919750
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeCode function: 5_2_06912359 pushad ; ret 5_2_0691235D
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeCode function: 15_2_06396390 push esp; ret 15_2_06396391
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.45172136815
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.45172136815
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.45172136815
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile created: C:\Users\user\AppData\Roaming\nPErTQzbiJwg.exeJump to dropped file
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile created: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nPErTQzbiJwg' /XML 'C:\Users\user\AppData\Local\Temp\tmpC3B9.tmp'
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WCPCeJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WCPCeJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeFile opened: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeFile opened: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FedEx delivery form.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WCPCe\WCPCe.exeProcess information set: NOOPENFILEERRORBOX