Loading ...

Play interactive tourEdit tour

Windows Analysis Report Wellis Inquiry.exe

Overview

General Information

Sample Name:Wellis Inquiry.exe
Analysis ID:502627
MD5:c357a8010e661a49df2e813bd22590b6
SHA1:08ecd005e1449ec97d0405e83649686ae35f6286
SHA256:eef137583da6deb4a1be9882cede6cec5112b74ae79c0773f45b13346c5b2890
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Wellis Inquiry.exe (PID: 7036 cmdline: 'C:\Users\user\Desktop\Wellis Inquiry.exe' MD5: C357A8010E661A49DF2E813BD22590B6)
    • Wellis Inquiry.exe (PID: 1680 cmdline: C:\Users\user\Desktop\Wellis Inquiry.exe MD5: C357A8010E661A49DF2E813BD22590B6)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 5328 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 7092 cmdline: /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.psychedeliccosmetics.com/ag9v/"], "decoy": ["wordmagicshow.com", "dogparkdate.com", "quickcarehomeopathic.com", "azwar.net", "louisle1909.xyz", "section8lv.com", "felineness.com", "2888sy.com", "wadashoot.com", "kittyuniverse.com", "blushroses.com", "alaskangeneral.com", "yumoo.design", "7xkfic.com", "891827.com", "uspress1.com", "aceserial.xyz", "muellerconfidence.com", "eramakport.com", "tipsandtoesnewton.com", "withph.net", "kravesproet.quest", "restaurantemesana.com", "ghostpunk.art", "cobere9.com", "darshanshastra.com", "barnhsartcrane.com", "richartware.com", "welcomprom2.com", "plantvsundeadhelp.com", "hotsatisfy.com", "fullhindimovies.com", "beautynaturalcosmeticslk.com", "googglo.com", "hongyang98.com", "elishevazz.com", "ebookgratis.online", "urbanyinyoga.com", "sojuicybar.com", "seheon.email", "pokemongosrf.com", "catchytravel.com", "stonecoldice.net", "betinle137.com", "platinumridge.art", "agoodhotel.com", "preventbiotech.com", "ebonyslivestockservice.online", "billionairesboat.com", "dollpartyla.com", "naufragant.com", "cat2628.top", "ietwatiomlan.quest", "soulful-simplicity.com", "kalmmed.com", "luxuryray.com", "pknox.net", "687410.com", "blackmagiccomics.com", "usaworkerscorporation.com", "ovmfinacial.com", "marunouchi1.com", "feshwal.com", "qupontgon.quest"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bec:$sqlite3step: 68 34 1C 7B E1
    • 0x6b08:$sqlite3text: 68 38 2A 90 C5
    • 0x6c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.Wellis Inquiry.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.Wellis Inquiry.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.Wellis Inquiry.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        3.2.Wellis Inquiry.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.Wellis Inquiry.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.psychedeliccosmetics.com/ag9v/"], "decoy": ["wordmagicshow.com", "dogparkdate.com", "quickcarehomeopathic.com", "azwar.net", "louisle1909.xyz", "section8lv.com", "felineness.com", "2888sy.com", "wadashoot.com", "kittyuniverse.com", "blushroses.com", "alaskangeneral.com", "yumoo.design", "7xkfic.com", "891827.com", "uspress1.com", "aceserial.xyz", "muellerconfidence.com", "eramakport.com", "tipsandtoesnewton.com", "withph.net", "kravesproet.quest", "restaurantemesana.com", "ghostpunk.art", "cobere9.com", "darshanshastra.com", "barnhsartcrane.com", "richartware.com", "welcomprom2.com", "plantvsundeadhelp.com", "hotsatisfy.com", "fullhindimovies.com", "beautynaturalcosmeticslk.com", "googglo.com", "hongyang98.com", "elishevazz.com", "ebookgratis.online", "urbanyinyoga.com", "sojuicybar.com", "seheon.email", "pokemongosrf.com", "catchytravel.com", "stonecoldice.net", "betinle137.com", "platinumridge.art", "agoodhotel.com", "preventbiotech.com", "ebonyslivestockservice.online", "billionairesboat.com", "dollpartyla.com", "naufragant.com", "cat2628.top", "ietwatiomlan.quest", "soulful-simplicity.com", "kalmmed.com", "luxuryray.com", "pknox.net", "687410.com", "blackmagiccomics.com", "usaworkerscorporation.com", "ovmfinacial.com", "marunouchi1.com", "feshwal.com", "qupontgon.quest"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY
          Source: 3.2.Wellis Inquiry.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Wellis Inquiry.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Wellis Inquiry.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Wellis Inquiry.exe, 00000003.00000002.746125583.00000000012AF000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Wellis Inquiry.exe, cmmon32.exe
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 4x nop then pop edi3_2_004162C8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi11_2_02D362C8

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.marunouchi1.com
          Source: C:\Windows\explorer.exeNetwork Connect: 183.90.240.3 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 151.106.117.36 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.richartware.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ebookgratis.online
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ovmfinacial.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.blackmagiccomics.com
          Source: C:\Windows\explorer.exeDomain query: www.psychedeliccosmetics.com
          Source: C:\Windows\explorer.exeDomain query: www.dollpartyla.com
          Source: C:\Windows\explorer.exeDomain query: www.aceserial.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.2.218 80Jump to behavior
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.aceserial.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.psychedeliccosmetics.com/ag9v/
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: SAKURA-CSAKURAInternetIncJP SAKURA-CSAKURAInternetIncJP
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.marunouchi1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.psychedeliccosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.aceserial.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ebookgratis.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ovmfinacial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=K9/CDnPG5wdyl4CHzmgShg3gLBJ4YNT1Y6jAhZ/FXp8/egWH1BEUOuCtjJEICRxztW+Z&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.dollpartyla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 14 Oct 2021 05:29:51 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 14 Oct 2021 05:29:57 GMTContent-Length: 13724Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 14 Oct 2021 05:30:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 189X-Sorting-Hat-ShopId: 59880997054X-Request-ID: ff951e54-78cb-49de-931e-6e9b39ead4a9X-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Dc: gcp-europe-west1CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 69de6a78386b698b-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
          Source: Wellis Inquiry.exe, 00000000.00000003.655430474.0000000006353000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com/
          Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comf
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtal
          Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw.m
          Source: Wellis Inquiry.exe, 00000000.00000002.673404245.00000000081A0000.00000004.00020000.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Wellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
          Source: Wellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp, Wellis Inquiry.exe, 00000000.00000003.659071283.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y03
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
          Source: Wellis Inquiry.exe, 00000000.00000003.658754582.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ita
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tu
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com3
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comd
          Source: Wellis Inquiry.exe, 00000000.00000003.656690322.000000000633A000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com51
          Source: Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comy
          Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
          Source: Wellis Inquiry.exe, 00000000.00000003.655882162.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net4?
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.neth?
          Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netiv
          Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netrz
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmmon32.exe, 0000000B.00000002.923291558.0000000004D62000.00000004.00020000.sdmpString found in binary or memory: https://bitninja.io
          Source: unknownDNS traffic detected: queries for: www.marunouchi1.com
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.marunouchi1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.psychedeliccosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.aceserial.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ebookgratis.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ovmfinacial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=K9/CDnPG5wdyl4CHzmgShg3gLBJ4YNT1Y6jAhZ/FXp8/egWH1BEUOuCtjJEICRxztW+Z&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.dollpartyla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Wellis Inquiry.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 0_2_0176E9D00_2_0176E9D0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 0_2_0176C9DC0_2_0176C9DC
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 0_2_0176E9C00_2_0176E9C0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041C95D3_2_0041C95D
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004011743_2_00401174
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041BA2C3_2_0041BA2C
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041CBBB3_2_0041CBBB
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00408C7B3_2_00408C7B
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00408C803_2_00408C80
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00402D873_2_00402D87
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BF9003_2_011BF900
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D41203_2_011D4120
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0128E8243_2_0128E824
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012710023_2_01271002
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA8303_2_011DA830
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012820A83_2_012820A8
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CB0903_2_011CB090
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E20A03_2_011E20A0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012828EC3_2_012828EC
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01282B283_2_01282B28
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DAB403_2_011DAB40
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EEBB03_2_011EEBB0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127DBD23_2_0127DBD2
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012703DA3_2_012703DA
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0126FA2B3_2_0126FA2B
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012822AE3_2_012822AE
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01282D073_2_01282D07
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B0D203_2_011B0D20
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01281D553_2_01281D55
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E25813_2_011E2581
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012825DD3_2_012825DD
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CD5E03_2_011CD5E0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C841F3_2_011C841F
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127D4663_2_0127D466
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01281FF13_2_01281FF1
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0128DFCE3_2_0128DFCE
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D6E303_2_011D6E30
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127D6163_2_0127D616
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01282EF73_2_01282EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB47711_2_046FB477
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479D46611_2_0479D466
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E841F11_2_046E841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479449611_2_04794496
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A1D5511_2_047A1D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D0D2011_2_046D0D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A2D0711_2_047A2D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046ED5E011_2_046ED5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A25DD11_2_047A25DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470258111_2_04702581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04792D8211_2_04792D82
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046F6E3011_2_046F6E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479D61611_2_0479D616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A2EF711_2_047A2EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A1FF111_2_047A1FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047ADFCE11_2_047ADFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047AE82411_2_047AE824
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FA83011_2_046FA830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479100211_2_04791002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A28EC11_2_047A28EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047020A011_2_047020A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A20A811_2_047A20A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046EB09011_2_046EB090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046F412011_2_046F4120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046DF90011_2_046DF900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046F99BF11_2_046F99BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0478FA2B11_2_0478FA2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB23611_2_046FB236
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794AEF11_2_04794AEF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A22AE11_2_047A22AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FAB4011_2_046FAB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0477CB4F11_2_0477CB4F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A2B2811_2_047A2B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FA30911_2_046FA309
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047823E311_2_047823E3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047903DA11_2_047903DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470ABD811_2_0470ABD8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479DBD211_2_0479DBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470EBB011_2_0470EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470138B11_2_0470138B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3BA2C11_2_02D3BA2C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3CBBB11_2_02D3CBBB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3C95D11_2_02D3C95D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D22FB011_2_02D22FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D28C8011_2_02D28C80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D28C7B11_2_02D28C7B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D22D9011_2_02D22D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D22D8711_2_02D22D87
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: String function: 011BB150 appears 54 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 046DB150 appears 136 times
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004185E0 NtCreateFile,3_2_004185E0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00418690 NtReadFile,3_2_00418690
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00418710 NtClose,3_2_00418710
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004187C0 NtAllocateVirtualMemory,3_2_004187C0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004185DA NtCreateFile,3_2_004185DA
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041868A NtReadFile,3_2_0041868A
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041870A NtClose,3_2_0041870A
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_011F9910
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F99A0 NtCreateSection,LdrInitializeThunk,3_2_011F99A0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9840 NtDelayExecution,LdrInitializeThunk,3_2_011F9840
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_011F9860
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_011F98F0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_011F9A00
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9A20 NtResumeThread,LdrInitializeThunk,3_2_011F9A20
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9A50 NtCreateFile,LdrInitializeThunk,3_2_011F9A50
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9540 NtReadFile,LdrInitializeThunk,3_2_011F9540
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F95D0 NtClose,LdrInitializeThunk,3_2_011F95D0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9710 NtQueryInformationToken,LdrInitializeThunk,3_2_011F9710
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9780 NtMapViewOfSection,LdrInitializeThunk,3_2_011F9780
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_011F97A0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9FE0 NtCreateMutant,LdrInitializeThunk,3_2_011F9FE0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_011F9660
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_011F96E0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9950 NtQueueApcThread,3_2_011F9950
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F99D0 NtCreateProcessEx,3_2_011F99D0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9820 NtEnumerateKey,3_2_011F9820
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011FB040 NtSuspendThread,3_2_011FB040
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F98A0 NtWriteVirtualMemory,3_2_011F98A0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9B00 NtSetValueKey,3_2_011F9B00
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011FA3B0 NtGetContextThread,3_2_011FA3B0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9A10 NtQuerySection,3_2_011F9A10
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9A80 NtOpenDirectoryObject,3_2_011F9A80
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011FAD30 NtSetContextThread,3_2_011FAD30
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9520 NtWaitForSingleObject,3_2_011F9520
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9560 NtWriteFile,3_2_011F9560
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F95F0 NtQueryInformationFile,3_2_011F95F0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011FA710 NtOpenProcessToken,3_2_011FA710
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9730 NtQueryVirtualMemory,3_2_011F9730
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011FA770 NtOpenThread,3_2_011FA770
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9770 NtSetInformationFile,3_2_011F9770
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9760 NtOpenProcess,3_2_011F9760
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9610 NtEnumerateValueKey,3_2_011F9610
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9650 NtQueryValueKey,3_2_011F9650
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9670 NtQueryInformationProcess,3_2_011F9670
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F96D0 NtCreateKey,3_2_011F96D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719540 NtReadFile,LdrInitializeThunk,11_2_04719540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047195D0 NtClose,LdrInitializeThunk,11_2_047195D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_04719660
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719650 NtQueryValueKey,LdrInitializeThunk,