Windows Analysis Report Wellis Inquiry.exe

AV Detection:

Found malware configuration

Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.psychedeliccosmetics.com/ag9v/"], "decoy": ["wordmagicshow.com", "dogparkdate.com", "quickcarehomeopathic.com", "azwar.net", "louisle1909.xyz", "section8lv.com", "felineness.com", "2888sy.com", "wadashoot.com", "kittyuniverse.com", "blushroses.com", "alaskangeneral.com", "yumoo.design", "7xkfic.com", "891827.com", "uspress1.com", "aceserial.xyz", "muellerconfidence.com", "eramakport.com", "tipsandtoesnewton.com", "withph.net", "kravesproet.quest", "restaurantemesana.com", "ghostpunk.art", "cobere9.com", "darshanshastra.com", "barnhsartcrane.com", "richartware.com", "welcomprom2.com", "plantvsundeadhelp.com", "hotsatisfy.com", "fullhindimovies.com", "beautynaturalcosmeticslk.com", "googglo.com", "hongyang98.com", "elishevazz.com", "ebookgratis.online", "urbanyinyoga.com", "sojuicybar.com", "seheon.email", "pokemongosrf.com", "catchytravel.com", "stonecoldice.net", "betinle137.com", "platinumridge.art", "agoodhotel.com", "preventbiotech.com", "ebonyslivestockservice.online", "billionairesboat.com", "dollpartyla.com", "naufragant.com", "cat2628.top", "ietwatiomlan.quest", "soulful-simplicity.com", "kalmmed.com", "luxuryray.com", "pknox.net", "687410.com", "blackmagiccomics.com", "usaworkerscorporation.com", "ovmfinacial.com", "marunouchi1.com", "feshwal.com", "qupontgon.quest"]}

Yara detected FormBook

Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.Wellis Inquiry.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Wellis Inquiry.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Wellis Inquiry.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: cmmon32.pdb source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Wellis Inquiry.exe, 00000003.00000002.746125583.00000000012AF000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Wellis Inquiry.exe, cmmon32.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 4x nop then pop edi		3_2_004162C8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi		11_2_02D362C8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.marunouchi1.com
Source: C:\Windows\explorer.exe	Network Connect: 183.90.240.3 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 151.106.117.36 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.richartware.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ebookgratis.online
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ovmfinacial.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blackmagiccomics.com
Source: C:\Windows\explorer.exe	Domain query: www.psychedeliccosmetics.com
Source: C:\Windows\explorer.exe	Domain query: www.dollpartyla.com
Source: C:\Windows\explorer.exe	Domain query: www.aceserial.xyz
Source: C:\Windows\explorer.exe	Network Connect: 104.21.2.218 80			Jump to behavior

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.aceserial.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.psychedeliccosmetics.com/ag9v/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: SAKURA-CSAKURAInternetIncJP SAKURA-CSAKURAInternetIncJP

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.marunouchi1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.psychedeliccosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.aceserial.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ebookgratis.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ovmfinacial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=K9/CDnPG5wdyl4CHzmgShg3gLBJ4YNT1Y6jAhZ/FXp8/egWH1BEUOuCtjJEICRxztW+Z&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.dollpartyla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 199.59.242.153 199.59.242.153

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 14 Oct 2021 05:29:51 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 14 Oct 2021 05:29:57 GMTContent-Length: 13724Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 14 Oct 2021 05:30:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 189X-Sorting-Hat-ShopId: 59880997054X-Request-ID: ff951e54-78cb-49de-931e-6e9b39ead4a9X-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Dc: gcp-europe-west1CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 69de6a78386b698b-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">

URLs found in memory or binary data

Source: Wellis Inquiry.exe, 00000000.00000003.655430474.0000000006353000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikip
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com/
Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comf
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtal
Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comw.m
Source: Wellis Inquiry.exe, 00000000.00000002.673404245.00000000081A0000.00000004.00020000.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Wellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: Wellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp, Wellis Inquiry.exe, 00000000.00000003.659071283.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y03
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
Source: Wellis Inquiry.exe, 00000000.00000003.658754582.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ita
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/tu
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com3
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comd
Source: Wellis Inquiry.exe, 00000000.00000003.656690322.000000000633A000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com51
Source: Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comy
Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net
Source: Wellis Inquiry.exe, 00000000.00000003.655882162.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net4?
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.neth?
Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netiv
Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netrz
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmmon32.exe, 0000000B.00000002.923291558.0000000004D62000.00000004.00020000.sdmp	String found in binary or memory: https://bitninja.io

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.marunouchi1.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.marunouchi1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.psychedeliccosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.aceserial.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ebookgratis.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ovmfinacial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=K9/CDnPG5wdyl4CHzmgShg3gLBJ4YNT1Y6jAhZ/FXp8/egWH1BEUOuCtjJEICRxztW+Z&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.dollpartyla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: Wellis Inquiry.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 0_2_0176E9D0		0_2_0176E9D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 0_2_0176C9DC		0_2_0176C9DC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 0_2_0176E9C0		0_2_0176E9C0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00401030		3_2_00401030
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041C95D		3_2_0041C95D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00401174		3_2_00401174
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041BA2C		3_2_0041BA2C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041CBBB		3_2_0041CBBB
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00408C7B		3_2_00408C7B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00408C80		3_2_00408C80
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00402D87		3_2_00402D87
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00402D90		3_2_00402D90
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00402FB0		3_2_00402FB0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BF900		3_2_011BF900
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120		3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128E824		3_2_0128E824
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271002		3_2_01271002
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA830		3_2_011DA830
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012820A8		3_2_012820A8
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CB090		3_2_011CB090
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0		3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012828EC		3_2_012828EC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01282B28		3_2_01282B28
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAB40		3_2_011DAB40
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EEBB0		3_2_011EEBB0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127DBD2		3_2_0127DBD2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012703DA		3_2_012703DA
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126FA2B		3_2_0126FA2B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012822AE		3_2_012822AE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01282D07		3_2_01282D07
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B0D20		3_2_011B0D20
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01281D55		3_2_01281D55
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2581		3_2_011E2581
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012825DD		3_2_012825DD
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CD5E0		3_2_011CD5E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C841F		3_2_011C841F
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127D466		3_2_0127D466
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01281FF1		3_2_01281FF1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128DFCE		3_2_0128DFCE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D6E30		3_2_011D6E30
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127D616		3_2_0127D616
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01282EF7		3_2_01282EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479D466		11_2_0479D466
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E841F		11_2_046E841F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A1D55		11_2_047A1D55
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D0D20		11_2_046D0D20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A2D07		11_2_047A2D07
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046ED5E0		11_2_046ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A25DD		11_2_047A25DD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04702581		11_2_04702581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82		11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F6E30		11_2_046F6E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479D616		11_2_0479D616
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A2EF7		11_2_047A2EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A1FF1		11_2_047A1FF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047ADFCE		11_2_047ADFCE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047AE824		11_2_047AE824
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA830		11_2_046FA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791002		11_2_04791002
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A28EC		11_2_047A28EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047020A0		11_2_047020A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A20A8		11_2_047A20A8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EB090		11_2_046EB090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F4120		11_2_046F4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DF900		11_2_046DF900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F99BF		11_2_046F99BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0478FA2B		11_2_0478FA2B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB236		11_2_046FB236
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794AEF		11_2_04794AEF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A22AE		11_2_047A22AE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAB40		11_2_046FAB40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0477CB4F		11_2_0477CB4F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A2B28		11_2_047A2B28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA309		11_2_046FA309
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047823E3		11_2_047823E3
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047903DA		11_2_047903DA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470ABD8		11_2_0470ABD8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479DBD2		11_2_0479DBD2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470EBB0		11_2_0470EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470138B		11_2_0470138B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3BA2C		11_2_02D3BA2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3CBBB		11_2_02D3CBBB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3C95D		11_2_02D3C95D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D22FB0		11_2_02D22FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D28C80		11_2_02D28C80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D28C7B		11_2_02D28C7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D22D90		11_2_02D22D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D22D87		11_2_02D22D87

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: String function: 011BB150 appears 54 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 046DB150 appears 136 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_004185E0 NtCreateFile,		3_2_004185E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00418690 NtReadFile,		3_2_00418690
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00418710 NtClose,		3_2_00418710
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_004187C0 NtAllocateVirtualMemory,		3_2_004187C0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_004185DA NtCreateFile,		3_2_004185DA
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041868A NtReadFile,		3_2_0041868A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041870A NtClose,		3_2_0041870A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		3_2_011F9910
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F99A0 NtCreateSection,LdrInitializeThunk,		3_2_011F99A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9840 NtDelayExecution,LdrInitializeThunk,		3_2_011F9840
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9860 NtQuerySystemInformation,LdrInitializeThunk,		3_2_011F9860
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F98F0 NtReadVirtualMemory,LdrInitializeThunk,		3_2_011F98F0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9A00 NtProtectVirtualMemory,LdrInitializeThunk,		3_2_011F9A00
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9A20 NtResumeThread,LdrInitializeThunk,		3_2_011F9A20
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9A50 NtCreateFile,LdrInitializeThunk,		3_2_011F9A50
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9540 NtReadFile,LdrInitializeThunk,		3_2_011F9540
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F95D0 NtClose,LdrInitializeThunk,		3_2_011F95D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9710 NtQueryInformationToken,LdrInitializeThunk,		3_2_011F9710
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9780 NtMapViewOfSection,LdrInitializeThunk,		3_2_011F9780
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F97A0 NtUnmapViewOfSection,LdrInitializeThunk,		3_2_011F97A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9FE0 NtCreateMutant,LdrInitializeThunk,		3_2_011F9FE0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9660 NtAllocateVirtualMemory,LdrInitializeThunk,		3_2_011F9660
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F96E0 NtFreeVirtualMemory,LdrInitializeThunk,		3_2_011F96E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9950 NtQueueApcThread,		3_2_011F9950
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F99D0 NtCreateProcessEx,		3_2_011F99D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9820 NtEnumerateKey,		3_2_011F9820
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011FB040 NtSuspendThread,		3_2_011FB040
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F98A0 NtWriteVirtualMemory,		3_2_011F98A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9B00 NtSetValueKey,		3_2_011F9B00
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011FA3B0 NtGetContextThread,		3_2_011FA3B0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9A10 NtQuerySection,		3_2_011F9A10
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9A80 NtOpenDirectoryObject,		3_2_011F9A80
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011FAD30 NtSetContextThread,		3_2_011FAD30
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9520 NtWaitForSingleObject,		3_2_011F9520
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9560 NtWriteFile,		3_2_011F9560
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F95F0 NtQueryInformationFile,		3_2_011F95F0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011FA710 NtOpenProcessToken,		3_2_011FA710
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9730 NtQueryVirtualMemory,		3_2_011F9730
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011FA770 NtOpenThread,		3_2_011FA770
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9770 NtSetInformationFile,		3_2_011F9770
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9760 NtOpenProcess,		3_2_011F9760
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9610 NtEnumerateValueKey,		3_2_011F9610
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9650 NtQueryValueKey,		3_2_011F9650
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9670 NtQueryInformationProcess,		3_2_011F9670
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F96D0 NtCreateKey,		3_2_011F96D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719540 NtReadFile,LdrInitializeThunk,		11_2_04719540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047195D0 NtClose,LdrInitializeThunk,		11_2_047195D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719660 NtAllocateVirtualMemory,LdrInitializeThunk,		11_2_04719660
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719650 NtQueryValueKey,LdrInitializeThunk,		11_2_04719650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047196E0 NtFreeVirtualMemory,LdrInitializeThunk,		11_2_047196E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047196D0 NtCreateKey,LdrInitializeThunk,		11_2_047196D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719710 NtQueryInformationToken,LdrInitializeThunk,		11_2_04719710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719FE0 NtCreateMutant,LdrInitializeThunk,		11_2_04719FE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719780 NtMapViewOfSection,LdrInitializeThunk,		11_2_04719780
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719860 NtQuerySystemInformation,LdrInitializeThunk,		11_2_04719860
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719840 NtDelayExecution,LdrInitializeThunk,		11_2_04719840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719910 NtAdjustPrivilegesToken,LdrInitializeThunk,		11_2_04719910
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047199A0 NtCreateSection,LdrInitializeThunk,		11_2_047199A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719A50 NtCreateFile,LdrInitializeThunk,		11_2_04719A50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719560 NtWriteFile,		11_2_04719560
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0471AD30 NtSetContextThread,		11_2_0471AD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719520 NtWaitForSingleObject,		11_2_04719520
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047195F0 NtQueryInformationFile,		11_2_047195F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719670 NtQueryInformationProcess,		11_2_04719670
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719610 NtEnumerateValueKey,		11_2_04719610
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0471A770 NtOpenThread,		11_2_0471A770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719770 NtSetInformationFile,		11_2_04719770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719760 NtOpenProcess,		11_2_04719760
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719730 NtQueryVirtualMemory,		11_2_04719730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0471A710 NtOpenProcessToken,		11_2_0471A710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047197A0 NtUnmapViewOfSection,		11_2_047197A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0471B040 NtSuspendThread,		11_2_0471B040
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719820 NtEnumerateKey,		11_2_04719820
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047198F0 NtReadVirtualMemory,		11_2_047198F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047198A0 NtWriteVirtualMemory,		11_2_047198A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719950 NtQueueApcThread,		11_2_04719950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047199D0 NtCreateProcessEx,		11_2_047199D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719A20 NtResumeThread,		11_2_04719A20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719A10 NtQuerySection,		11_2_04719A10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719A00 NtProtectVirtualMemory,		11_2_04719A00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719A80 NtOpenDirectoryObject,		11_2_04719A80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719B00 NtSetValueKey,		11_2_04719B00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0471A3B0 NtGetContextThread,		11_2_0471A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D38690 NtReadFile,		11_2_02D38690
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D387C0 NtAllocateVirtualMemory,		11_2_02D387C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D38710 NtClose,		11_2_02D38710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D385E0 NtCreateFile,		11_2_02D385E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3868A NtReadFile,		11_2_02D3868A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3870A NtClose,		11_2_02D3870A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D385DA NtCreateFile,		11_2_02D385DA

Sample file is different than original file name gathered from version info

Source: Wellis Inquiry.exe	Binary or memory string: OriginalFilename vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe, 00000000.00000002.673472401.00000000083A0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe	Binary or memory string: OriginalFilename vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe, 00000003.00000002.747172824.00000000031A9000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe, 00000003.00000002.746125583.00000000012AF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe	Binary or memory string: OriginalFilenameMutexAccessRu.exe8 vs Wellis Inquiry.exe

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: Wellis Inquiry.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

PE file has an executable .text section and no other executable section

Source: Wellis Inquiry.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Wellis Inquiry.exe 'C:\Users\user\Desktop\Wellis Inquiry.exe'
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process created: C:\Users\user\Desktop\Wellis Inquiry.exe C:\Users\user\Desktop\Wellis Inquiry.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process created: C:\Users\user\Desktop\Wellis Inquiry.exe C:\Users\user\Desktop\Wellis Inquiry.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'			Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wellis Inquiry.exe.log

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@9/6

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: Wellis Inquiry.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Wellis Inquiry.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: cmmon32.pdb source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Wellis Inquiry.exe, 00000003.00000002.746125583.00000000012AF000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Wellis Inquiry.exe, cmmon32.exe

Data Obfuscation:

.NET source code contains potential unpacker

Source: Wellis Inquiry.exe, WinUsbInitForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Wellis Inquiry.exe.ff0000.0.unpack, WinUsbInitForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.Wellis Inquiry.exe.ff0000.0.unpack, WinUsbInitForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.Wellis Inquiry.exe.6a0000.0.unpack, WinUsbInitForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.Wellis Inquiry.exe.6a0000.1.unpack, WinUsbInitForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041B822 push eax; ret		3_2_0041B828
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041B82B push eax; ret		3_2_0041B892
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_004160E3 push 21204C73h; retf		3_2_004160E8
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041B88C push eax; ret		3_2_0041B892
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_004091C6 push eax; ret		3_2_004091CA
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00416278 push ebp; ret		3_2_00416274
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041621F push ebp; ret		3_2_00416274
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0040EE6C push edx; ret		3_2_0040EE6D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00415EAC push FFFFFFABh; iretd		3_2_00415EBF
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041B7D5 push eax; ret		3_2_0041B828
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0120D0D1 push ecx; ret		3_2_0120D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0472D0D1 push ecx; ret		11_2_0472D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D36278 push ebp; ret		11_2_02D36274
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3621F push ebp; ret		11_2_02D36274
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D360E3 push 21204C73h; retf		11_2_02D360E8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3B88C push eax; ret		11_2_02D3B892
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3B822 push eax; ret		11_2_02D3B828
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3B82B push eax; ret		11_2_02D3B892
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D291C6 push eax; ret		11_2_02D291CA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D35EAC push FFFFFFABh; iretd		11_2_02D35EBF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D2EE6C push edx; ret		11_2_02D2EE6D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3B7D5 push eax; ret		11_2_02D3B828

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.93897204497

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'			Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.Wellis Inquiry.exe.339002c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Wellis Inquiry.exe PID: 7036, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000002D28604 second address: 0000000002D2860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000002D2899E second address: 0000000002D289A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Wellis Inquiry.exe TID: 7040	Thread sleep time: -40370s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 2848	Thread sleep time: -35000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6880	Thread sleep time: -36000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Code function: 3_2_004088D0 rdtsc

3_2_004088D0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Queries a list of all running processes

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Thread delayed: delay time: 40370			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.679441377.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.709634080.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.679441377.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.672692112.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.697371801.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.713207756.000000000A897000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000004.00000000.679809243.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Code function: 3_2_004088D0 rdtsc

3_2_004088D0

Enables debug privileges

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9100 mov eax, dword ptr fs:[00000030h]		3_2_011B9100
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9100 mov eax, dword ptr fs:[00000030h]		3_2_011B9100
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9100 mov eax, dword ptr fs:[00000030h]		3_2_011B9100
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E513A mov eax, dword ptr fs:[00000030h]		3_2_011E513A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E513A mov eax, dword ptr fs:[00000030h]		3_2_011E513A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]		3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]		3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]		3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]		3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120 mov ecx, dword ptr fs:[00000030h]		3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DB944 mov eax, dword ptr fs:[00000030h]		3_2_011DB944
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DB944 mov eax, dword ptr fs:[00000030h]		3_2_011DB944
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BB171 mov eax, dword ptr fs:[00000030h]		3_2_011BB171
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BB171 mov eax, dword ptr fs:[00000030h]		3_2_011BB171
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BC962 mov eax, dword ptr fs:[00000030h]		3_2_011BC962
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]		3_2_012749A4
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]		3_2_012749A4
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]		3_2_012749A4
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]		3_2_012749A4
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012369A6 mov eax, dword ptr fs:[00000030h]		3_2_012369A6
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2990 mov eax, dword ptr fs:[00000030h]		3_2_011E2990
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA185 mov eax, dword ptr fs:[00000030h]		3_2_011EA185
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]		3_2_012351BE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]		3_2_012351BE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]		3_2_012351BE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]		3_2_012351BE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DC182 mov eax, dword ptr fs:[00000030h]		3_2_011DC182
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E61A0 mov eax, dword ptr fs:[00000030h]		3_2_011E61A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E61A0 mov eax, dword ptr fs:[00000030h]		3_2_011E61A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012441E8 mov eax, dword ptr fs:[00000030h]		3_2_012441E8
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BB1E1 mov eax, dword ptr fs:[00000030h]		3_2_011BB1E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BB1E1 mov eax, dword ptr fs:[00000030h]		3_2_011BB1E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BB1E1 mov eax, dword ptr fs:[00000030h]		3_2_011BB1E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]		3_2_011DA830
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]		3_2_011DA830
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]		3_2_011DA830
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]		3_2_011DA830
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]		3_2_011E002D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]		3_2_011E002D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]		3_2_011E002D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]		3_2_011E002D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]		3_2_011E002D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237016 mov eax, dword ptr fs:[00000030h]		3_2_01237016
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237016 mov eax, dword ptr fs:[00000030h]		3_2_01237016
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237016 mov eax, dword ptr fs:[00000030h]		3_2_01237016
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]		3_2_011CB02A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]		3_2_011CB02A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]		3_2_011CB02A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]		3_2_011CB02A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01284015 mov eax, dword ptr fs:[00000030h]		3_2_01284015
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01284015 mov eax, dword ptr fs:[00000030h]		3_2_01284015
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D0050 mov eax, dword ptr fs:[00000030h]		3_2_011D0050
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D0050 mov eax, dword ptr fs:[00000030h]		3_2_011D0050
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01272073 mov eax, dword ptr fs:[00000030h]		3_2_01272073
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01281074 mov eax, dword ptr fs:[00000030h]		3_2_01281074
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9080 mov eax, dword ptr fs:[00000030h]		3_2_011B9080
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EF0BF mov ecx, dword ptr fs:[00000030h]		3_2_011EF0BF
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EF0BF mov eax, dword ptr fs:[00000030h]		3_2_011EF0BF
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EF0BF mov eax, dword ptr fs:[00000030h]		3_2_011EF0BF
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01233884 mov eax, dword ptr fs:[00000030h]		3_2_01233884
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01233884 mov eax, dword ptr fs:[00000030h]		3_2_01233884
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F90AF mov eax, dword ptr fs:[00000030h]		3_2_011F90AF
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]		3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]		3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]		3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]		3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]		3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]		3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]		3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov ecx, dword ptr fs:[00000030h]		3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]		3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]		3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]		3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]		3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B58EC mov eax, dword ptr fs:[00000030h]		3_2_011B58EC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B40E1 mov eax, dword ptr fs:[00000030h]		3_2_011B40E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B40E1 mov eax, dword ptr fs:[00000030h]		3_2_011B40E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B40E1 mov eax, dword ptr fs:[00000030h]		3_2_011B40E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127131B mov eax, dword ptr fs:[00000030h]		3_2_0127131B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BF358 mov eax, dword ptr fs:[00000030h]		3_2_011BF358
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BDB40 mov eax, dword ptr fs:[00000030h]		3_2_011BDB40
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E3B7A mov eax, dword ptr fs:[00000030h]		3_2_011E3B7A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E3B7A mov eax, dword ptr fs:[00000030h]		3_2_011E3B7A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288B58 mov eax, dword ptr fs:[00000030h]		3_2_01288B58
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BDB60 mov ecx, dword ptr fs:[00000030h]		3_2_011BDB60
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2397 mov eax, dword ptr fs:[00000030h]		3_2_011E2397
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01285BA5 mov eax, dword ptr fs:[00000030h]		3_2_01285BA5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EB390 mov eax, dword ptr fs:[00000030h]		3_2_011EB390
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C1B8F mov eax, dword ptr fs:[00000030h]		3_2_011C1B8F
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C1B8F mov eax, dword ptr fs:[00000030h]		3_2_011C1B8F
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126D380 mov ecx, dword ptr fs:[00000030h]		3_2_0126D380
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127138A mov eax, dword ptr fs:[00000030h]		3_2_0127138A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4BAD mov eax, dword ptr fs:[00000030h]		3_2_011E4BAD
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4BAD mov eax, dword ptr fs:[00000030h]		3_2_011E4BAD
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4BAD mov eax, dword ptr fs:[00000030h]		3_2_011E4BAD
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012353CA mov eax, dword ptr fs:[00000030h]		3_2_012353CA
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012353CA mov eax, dword ptr fs:[00000030h]		3_2_012353CA
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DDBE9 mov eax, dword ptr fs:[00000030h]		3_2_011DDBE9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]		3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]		3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]		3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]		3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]		3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]		3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D3A1C mov eax, dword ptr fs:[00000030h]		3_2_011D3A1C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B5210 mov eax, dword ptr fs:[00000030h]		3_2_011B5210
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B5210 mov ecx, dword ptr fs:[00000030h]		3_2_011B5210
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B5210 mov eax, dword ptr fs:[00000030h]		3_2_011B5210
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B5210 mov eax, dword ptr fs:[00000030h]		3_2_011B5210
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BAA16 mov eax, dword ptr fs:[00000030h]		3_2_011BAA16
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BAA16 mov eax, dword ptr fs:[00000030h]		3_2_011BAA16
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C8A0A mov eax, dword ptr fs:[00000030h]		3_2_011C8A0A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127AA16 mov eax, dword ptr fs:[00000030h]		3_2_0127AA16
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127AA16 mov eax, dword ptr fs:[00000030h]		3_2_0127AA16
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F4A2C mov eax, dword ptr fs:[00000030h]		3_2_011F4A2C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F4A2C mov eax, dword ptr fs:[00000030h]		3_2_011F4A2C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]		3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]		3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]		3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]		3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]		3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]		3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]		3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]		3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]		3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126B260 mov eax, dword ptr fs:[00000030h]		3_2_0126B260
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126B260 mov eax, dword ptr fs:[00000030h]		3_2_0126B260
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288A62 mov eax, dword ptr fs:[00000030h]		3_2_01288A62
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]		3_2_011B9240
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]		3_2_011B9240
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]		3_2_011B9240
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]		3_2_011B9240
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F927A mov eax, dword ptr fs:[00000030h]		3_2_011F927A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127EA55 mov eax, dword ptr fs:[00000030h]		3_2_0127EA55
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01244257 mov eax, dword ptr fs:[00000030h]		3_2_01244257
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011ED294 mov eax, dword ptr fs:[00000030h]		3_2_011ED294
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011ED294 mov eax, dword ptr fs:[00000030h]		3_2_011ED294
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CAAB0 mov eax, dword ptr fs:[00000030h]		3_2_011CAAB0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CAAB0 mov eax, dword ptr fs:[00000030h]		3_2_011CAAB0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EFAB0 mov eax, dword ptr fs:[00000030h]		3_2_011EFAB0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]		3_2_011B52A5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]		3_2_011B52A5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]		3_2_011B52A5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]		3_2_011B52A5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]		3_2_011B52A5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2ACB mov eax, dword ptr fs:[00000030h]		3_2_011E2ACB
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2AE4 mov eax, dword ptr fs:[00000030h]		3_2_011E2AE4
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0123A537 mov eax, dword ptr fs:[00000030h]		3_2_0123A537
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288D34 mov eax, dword ptr fs:[00000030h]		3_2_01288D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127E539 mov eax, dword ptr fs:[00000030h]		3_2_0127E539
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4D3B mov eax, dword ptr fs:[00000030h]		3_2_011E4D3B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4D3B mov eax, dword ptr fs:[00000030h]		3_2_011E4D3B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4D3B mov eax, dword ptr fs:[00000030h]		3_2_011E4D3B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]		3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BAD30 mov eax, dword ptr fs:[00000030h]		3_2_011BAD30
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D7D50 mov eax, dword ptr fs:[00000030h]		3_2_011D7D50
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F3D43 mov eax, dword ptr fs:[00000030h]		3_2_011F3D43
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01233540 mov eax, dword ptr fs:[00000030h]		3_2_01233540
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01263D40 mov eax, dword ptr fs:[00000030h]		3_2_01263D40
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DC577 mov eax, dword ptr fs:[00000030h]		3_2_011DC577
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DC577 mov eax, dword ptr fs:[00000030h]		3_2_011DC577
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012805AC mov eax, dword ptr fs:[00000030h]		3_2_012805AC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012805AC mov eax, dword ptr fs:[00000030h]		3_2_012805AC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EFD9B mov eax, dword ptr fs:[00000030h]		3_2_011EFD9B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EFD9B mov eax, dword ptr fs:[00000030h]		3_2_011EFD9B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]		3_2_011B2D8A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]		3_2_011B2D8A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]		3_2_011B2D8A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]		3_2_011B2D8A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]		3_2_011B2D8A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]		3_2_011E2581
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]		3_2_011E2581
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]		3_2_011E2581
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]		3_2_011E2581
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E1DB5 mov eax, dword ptr fs:[00000030h]		3_2_011E1DB5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E1DB5 mov eax, dword ptr fs:[00000030h]		3_2_011E1DB5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E1DB5 mov eax, dword ptr fs:[00000030h]		3_2_011E1DB5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E35A1 mov eax, dword ptr fs:[00000030h]		3_2_011E35A1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]		3_2_0127FDE2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]		3_2_0127FDE2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]		3_2_0127FDE2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]		3_2_0127FDE2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01268DF1 mov eax, dword ptr fs:[00000030h]		3_2_01268DF1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]		3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]		3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]		3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov ecx, dword ptr fs:[00000030h]		3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]		3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]		3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CD5E0 mov eax, dword ptr fs:[00000030h]		3_2_011CD5E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CD5E0 mov eax, dword ptr fs:[00000030h]		3_2_011CD5E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]		3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128740D mov eax, dword ptr fs:[00000030h]		3_2_0128740D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128740D mov eax, dword ptr fs:[00000030h]		3_2_0128740D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128740D mov eax, dword ptr fs:[00000030h]		3_2_0128740D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]		3_2_01236C0A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]		3_2_01236C0A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]		3_2_01236C0A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]		3_2_01236C0A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EBC2C mov eax, dword ptr fs:[00000030h]		3_2_011EBC2C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA44B mov eax, dword ptr fs:[00000030h]		3_2_011EA44B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D746D mov eax, dword ptr fs:[00000030h]		3_2_011D746D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124C450 mov eax, dword ptr fs:[00000030h]		3_2_0124C450
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124C450 mov eax, dword ptr fs:[00000030h]		3_2_0124C450
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C849B mov eax, dword ptr fs:[00000030h]		3_2_011C849B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236CF0 mov eax, dword ptr fs:[00000030h]		3_2_01236CF0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236CF0 mov eax, dword ptr fs:[00000030h]		3_2_01236CF0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236CF0 mov eax, dword ptr fs:[00000030h]		3_2_01236CF0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012714FB mov eax, dword ptr fs:[00000030h]		3_2_012714FB
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288CD6 mov eax, dword ptr fs:[00000030h]		3_2_01288CD6
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DF716 mov eax, dword ptr fs:[00000030h]		3_2_011DF716
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA70E mov eax, dword ptr fs:[00000030h]		3_2_011EA70E
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA70E mov eax, dword ptr fs:[00000030h]		3_2_011EA70E
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128070D mov eax, dword ptr fs:[00000030h]		3_2_0128070D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128070D mov eax, dword ptr fs:[00000030h]		3_2_0128070D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EE730 mov eax, dword ptr fs:[00000030h]		3_2_011EE730
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124FF10 mov eax, dword ptr fs:[00000030h]		3_2_0124FF10
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124FF10 mov eax, dword ptr fs:[00000030h]		3_2_0124FF10
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B4F2E mov eax, dword ptr fs:[00000030h]		3_2_011B4F2E
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B4F2E mov eax, dword ptr fs:[00000030h]		3_2_011B4F2E
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288F6A mov eax, dword ptr fs:[00000030h]		3_2_01288F6A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CEF40 mov eax, dword ptr fs:[00000030h]		3_2_011CEF40
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CFF60 mov eax, dword ptr fs:[00000030h]		3_2_011CFF60
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C8794 mov eax, dword ptr fs:[00000030h]		3_2_011C8794
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237794 mov eax, dword ptr fs:[00000030h]		3_2_01237794
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237794 mov eax, dword ptr fs:[00000030h]		3_2_01237794
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237794 mov eax, dword ptr fs:[00000030h]		3_2_01237794
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F37F5 mov eax, dword ptr fs:[00000030h]		3_2_011F37F5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA61C mov eax, dword ptr fs:[00000030h]		3_2_011EA61C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA61C mov eax, dword ptr fs:[00000030h]		3_2_011EA61C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126FE3F mov eax, dword ptr fs:[00000030h]		3_2_0126FE3F
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BC600 mov eax, dword ptr fs:[00000030h]		3_2_011BC600
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BC600 mov eax, dword ptr fs:[00000030h]		3_2_011BC600
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BC600 mov eax, dword ptr fs:[00000030h]		3_2_011BC600
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E8E00 mov eax, dword ptr fs:[00000030h]		3_2_011E8E00
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271608 mov eax, dword ptr fs:[00000030h]		3_2_01271608
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BE620 mov eax, dword ptr fs:[00000030h]		3_2_011BE620
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]		3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]		3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]		3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]		3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]		3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]		3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127AE44 mov eax, dword ptr fs:[00000030h]		3_2_0127AE44
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127AE44 mov eax, dword ptr fs:[00000030h]		3_2_0127AE44
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]		3_2_011DAE73
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]		3_2_011DAE73
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]		3_2_011DAE73
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]		3_2_011DAE73
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]		3_2_011DAE73
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C766D mov eax, dword ptr fs:[00000030h]		3_2_011C766D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012346A7 mov eax, dword ptr fs:[00000030h]		3_2_012346A7
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01280EA5 mov eax, dword ptr fs:[00000030h]		3_2_01280EA5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01280EA5 mov eax, dword ptr fs:[00000030h]		3_2_01280EA5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01280EA5 mov eax, dword ptr fs:[00000030h]		3_2_01280EA5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124FE87 mov eax, dword ptr fs:[00000030h]		3_2_0124FE87
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E36CC mov eax, dword ptr fs:[00000030h]		3_2_011E36CC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F8EC7 mov eax, dword ptr fs:[00000030h]		3_2_011F8EC7
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126FEC0 mov eax, dword ptr fs:[00000030h]		3_2_0126FEC0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288ED6 mov eax, dword ptr fs:[00000030h]		3_2_01288ED6
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E16E0 mov ecx, dword ptr fs:[00000030h]		3_2_011E16E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C76E2 mov eax, dword ptr fs:[00000030h]		3_2_011C76E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F746D mov eax, dword ptr fs:[00000030h]		11_2_046F746D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]		11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]		11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0476C450 mov eax, dword ptr fs:[00000030h]		11_2_0476C450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0476C450 mov eax, dword ptr fs:[00000030h]		11_2_0476C450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470A44B mov eax, dword ptr fs:[00000030h]		11_2_0470A44B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470BC2C mov eax, dword ptr fs:[00000030h]		11_2_0470BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A740D mov eax, dword ptr fs:[00000030h]		11_2_047A740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A740D mov eax, dword ptr fs:[00000030h]		11_2_047A740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A740D mov eax, dword ptr fs:[00000030h]		11_2_047A740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]		11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]		11_2_04756C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]		11_2_04756C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]		11_2_04756C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]		11_2_04756C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047914FB mov eax, dword ptr fs:[00000030h]		11_2_047914FB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756CF0 mov eax, dword ptr fs:[00000030h]		11_2_04756CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756CF0 mov eax, dword ptr fs:[00000030h]		11_2_04756CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756CF0 mov eax, dword ptr fs:[00000030h]		11_2_04756CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A8CD6 mov eax, dword ptr fs:[00000030h]		11_2_047A8CD6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]		11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E849B mov eax, dword ptr fs:[00000030h]		11_2_046E849B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FC577 mov eax, dword ptr fs:[00000030h]		11_2_046FC577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FC577 mov eax, dword ptr fs:[00000030h]		11_2_046FC577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04713D43 mov eax, dword ptr fs:[00000030h]		11_2_04713D43
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04753540 mov eax, dword ptr fs:[00000030h]		11_2_04753540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04783D40 mov eax, dword ptr fs:[00000030h]		11_2_04783D40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F7D50 mov eax, dword ptr fs:[00000030h]		11_2_046F7D50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479E539 mov eax, dword ptr fs:[00000030h]		11_2_0479E539
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0475A537 mov eax, dword ptr fs:[00000030h]		11_2_0475A537
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04704D3B mov eax, dword ptr fs:[00000030h]		11_2_04704D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04704D3B mov eax, dword ptr fs:[00000030h]		11_2_04704D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04704D3B mov eax, dword ptr fs:[00000030h]		11_2_04704D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A8D34 mov eax, dword ptr fs:[00000030h]		11_2_047A8D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]		11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DAD30 mov eax, dword ptr fs:[00000030h]		11_2_046DAD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04788DF1 mov eax, dword ptr fs:[00000030h]		11_2_04788DF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046ED5E0 mov eax, dword ptr fs:[00000030h]		11_2_046ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046ED5E0 mov eax, dword ptr fs:[00000030h]		11_2_046ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]		11_2_0479FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]		11_2_0479FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]		11_2_0479FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]		11_2_0479FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]		11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]		11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]		11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov ecx, dword ptr fs:[00000030h]		11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]		11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]		11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04701DB5 mov eax, dword ptr fs:[00000030h]		11_2_04701DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04701DB5 mov eax, dword ptr fs:[00000030h]		11_2_04701DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04701DB5 mov eax, dword ptr fs:[00000030h]		11_2_04701DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047035A1 mov eax, dword ptr fs:[00000030h]		11_2_047035A1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A05AC mov eax, dword ptr fs:[00000030h]		11_2_047A05AC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A05AC mov eax, dword ptr fs:[00000030h]		11_2_047A05AC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]		11_2_046D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]		11_2_046D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]		11_2_046D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]		11_2_046D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]		11_2_046D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470FD9B mov eax, dword ptr fs:[00000030h]		11_2_0470FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470FD9B mov eax, dword ptr fs:[00000030h]		11_2_0470FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]		11_2_04702581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]		11_2_04702581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]		11_2_04702581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]		11_2_04702581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]		11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]		11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]		11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]		11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]		11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]		11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]		11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E766D mov eax, dword ptr fs:[00000030h]		11_2_046E766D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]		11_2_046FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]		11_2_046FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]		11_2_046FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]		11_2_046FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]		11_2_046FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]		11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]		11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]		11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]		11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]		11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]		11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479AE44 mov eax, dword ptr fs:[00000030h]		11_2_0479AE44
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479AE44 mov eax, dword ptr fs:[00000030h]		11_2_0479AE44
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0478FE3F mov eax, dword ptr fs:[00000030h]		11_2_0478FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DE620 mov eax, dword ptr fs:[00000030h]		11_2_046DE620
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470A61C mov eax, dword ptr fs:[00000030h]		11_2_0470A61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470A61C mov eax, dword ptr fs:[00000030h]		11_2_0470A61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DC600 mov eax, dword ptr fs:[00000030h]		11_2_046DC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DC600 mov eax, dword ptr fs:[00000030h]		11_2_046DC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DC600 mov eax, dword ptr fs:[00000030h]		11_2_046DC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04708E00 mov eax, dword ptr fs:[00000030h]		11_2_04708E00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791608 mov eax, dword ptr fs:[00000030h]		11_2_04791608
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E76E2 mov eax, dword ptr fs:[00000030h]		11_2_046E76E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047016E0 mov ecx, dword ptr fs:[00000030h]		11_2_047016E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A8ED6 mov eax, dword ptr fs:[00000030h]		11_2_047A8ED6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04718EC7 mov eax, dword ptr fs:[00000030h]		11_2_04718EC7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0478FEC0 mov eax, dword ptr fs:[00000030h]		11_2_0478FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047036CC mov eax, dword ptr fs:[00000030h]		11_2_047036CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047546A7 mov eax, dword ptr fs:[00000030h]		11_2_047546A7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A0EA5 mov eax, dword ptr fs:[00000030h]		11_2_047A0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A0EA5 mov eax, dword ptr fs:[00000030h]		11_2_047A0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A0EA5 mov eax, dword ptr fs:[00000030h]		11_2_047A0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0476FE87 mov eax, dword ptr fs:[00000030h]		11_2_0476FE87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EFF60 mov eax, dword ptr fs:[00000030h]		11_2_046EFF60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A8F6A mov eax, dword ptr fs:[00000030h]		11_2_047A8F6A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EEF40 mov eax, dword ptr fs:[00000030h]		11_2_046EEF40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470E730 mov eax, dword ptr fs:[00000030h]		11_2_0470E730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D4F2E mov eax, dword ptr fs:[00000030h]		11_2_046D4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D4F2E mov eax, dword ptr fs:[00000030h]		11_2_046D4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB73D mov eax, dword ptr fs:[00000030h]		11_2_046FB73D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB73D mov eax, dword ptr fs:[00000030h]		11_2_046FB73D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0476FF10 mov eax, dword ptr fs:[00000030h]		11_2_0476FF10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0476FF10 mov eax, dword ptr fs:[00000030h]		11_2_0476FF10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A070D mov eax, dword ptr fs:[00000030h]		11_2_047A070D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A070D mov eax, dword ptr fs:[00000030h]		11_2_047A070D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FF716 mov eax, dword ptr fs:[00000030h]		11_2_046FF716
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470A70E mov eax, dword ptr fs:[00000030h]		11_2_0470A70E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470A70E mov eax, dword ptr fs:[00000030h]		11_2_0470A70E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047137F5 mov eax, dword ptr fs:[00000030h]		11_2_047137F5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757794 mov eax, dword ptr fs:[00000030h]		11_2_04757794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757794 mov eax, dword ptr fs:[00000030h]		11_2_04757794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757794 mov eax, dword ptr fs:[00000030h]		11_2_04757794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E8794 mov eax, dword ptr fs:[00000030h]		11_2_046E8794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792073 mov eax, dword ptr fs:[00000030h]		11_2_04792073
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A1074 mov eax, dword ptr fs:[00000030h]		11_2_047A1074
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F0050 mov eax, dword ptr fs:[00000030h]		11_2_046F0050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F0050 mov eax, dword ptr fs:[00000030h]		11_2_046F0050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]		11_2_046EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]		11_2_046EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]		11_2_046EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]		11_2_046EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]		11_2_0470002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]		11_2_0470002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]		11_2_0470002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]		11_2_0470002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]		11_2_0470002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]		11_2_046FA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]		11_2_046FA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]		11_2_046FA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]		11_2_046FA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757016 mov eax, dword ptr fs:[00000030h]		11_2_04757016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757016 mov eax, dword ptr fs:[00000030h]		11_2_04757016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757016 mov eax, dword ptr fs:[00000030h]		11_2_04757016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A4015 mov eax, dword ptr fs:[00000030h]		11_2_047A4015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A4015 mov eax, dword ptr fs:[00000030h]		11_2_047A4015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D58EC mov eax, dword ptr fs:[00000030h]		11_2_046D58EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB8E4 mov eax, dword ptr fs:[00000030h]		11_2_046FB8E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB8E4 mov eax, dword ptr fs:[00000030h]		11_2_046FB8E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D40E1 mov eax, dword ptr fs:[00000030h]		11_2_046D40E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D40E1 mov eax, dword ptr fs:[00000030h]		11_2_046D40E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D40E1 mov eax, dword ptr fs:[00000030h]		11_2_046D40E1

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Code function: 3_2_00409B40 LdrLoadDll,

3_2_00409B40

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.marunouchi1.com
Source: C:\Windows\explorer.exe	Network Connect: 183.90.240.3 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 151.106.117.36 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.richartware.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ebookgratis.online
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ovmfinacial.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blackmagiccomics.com
Source: C:\Windows\explorer.exe	Domain query: www.psychedeliccosmetics.com
Source: C:\Windows\explorer.exe	Domain query: www.dollpartyla.com
Source: C:\Windows\explorer.exe	Domain query: www.aceserial.xyz
Source: C:\Windows\explorer.exe	Network Connect: 104.21.2.218 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 2C0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3424			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process created: C:\Users\user\Desktop\Wellis Inquiry.exe C:\Users\user\Desktop\Wellis Inquiry.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000004.00000000.691080863.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.697371801.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Users\user\Desktop\Wellis Inquiry.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY